Author Archives: privacynewshighlights

09-15 January 2016



CA – Candid Facial-Recognition Cameras to Watch for Terrorists at Border

Canada’s border agency plans to compare images of people arriving in the country with photographs of suspects on watchlists to keep out alleged terrorists and other criminals. In his recently released annual report, privacy commissioner Daniel Therrien says his office provided advice on the potential pitfalls, including the possibility of “false positives” that could result in unnecessary secondary screening for travellers. The office also urged the border agency to assess the risks of using such technology, including issues that might arise during testing phases. [Source]

US – Court rules Shutterfly May Have Violated Privacy by Scanning Face Photos

A US federal judge has denied a motion to dismiss a civil case against photo-sharing site Shutterfly that claims the company violated users’ privacy by collecting and scanning face geometries from uploaded images without consent. The first of its kind ruling could open the door to future class-action lawsuits against Shutterfly and other social networks that use facial recognition technology without an opt-in policy. [Source] [Court Ruling on Shutterfly Face Scans Could Spell Trouble for Facebook]


CA – Ontario Court Provides Clear Guidance on Privacy and “Tower Dumps”

The Ontario Superior Court released an important decision in R. v. Rogers & Telus, 2016 ONSC 70 which provides police and prosecutors with clear guidance on when and how they can obtain telco customer information through “tower dumps”. Tower dumps are the production of all the records of a cell phone tower at a particular time. Since your mobile phone is always communicating with at least one tower, tower dumps can tell the police who is in the vicinity of a particular location at a particular time. They are really troubling or problematic because the records overwhelmingly contain information about people who have nothing to do with the underlying investigation. [David Fraser blog] See also: [Rogers, Telus Await Landmark Ruling on Cellphone Privacy] See also: [Police sweeps of cellphone records violate privacy rights, judge rules] [Ontario court rules police orders breached cellphone users’ Charter rights] and [Why Canada’s Telecom Regulator Is Suddenly Acting More Like the Cops]

CA – Thousands Flagged by Canada’s New Air Passenger Screening System

Canada’s new security system for scrutinizing people who arrive by airplane singled out more than 2,300 passengers for closer examination during a recent three-month period, the federal border agency says. The CBSA says the travellers – flagged for possible links to terrorism or serious crime – represented a tiny fraction of the millions who flew into the country. Still, privacy and civil liberties watchdogs want to know more about the border agency’s so-called scenario-based targeting system to ensure individual rights are not being trampled. The agency has implemented the targeting system, already used by the United States, as part of Canada’s commitment to co-operate with Washington under the 2011 continental security pact known as the Beyond the Border initiative. Privacy Commissioner Daniel Therrien is pressing the border agency to explain the program’s rationale and build in safeguards to protect individual liberties. Travellers may be targeted if they fit the general attributes of a group due to traits they cannot change such as age, gender, nationality, birthplace, or racial or ethnic origin, he warns. [Source]

CA – Canada’s Military Plans to Monitor the World’s Social Media

Canada’s military wants to monitor and analyze the world’s social media streams, with 24/7 access to real-time and historical posts on websites like Twitter, Facebook, and Instagram. And they don’t want anyone knowing it’s them doing the monitoring, either. The Department of National Defence and its research wing, Defence Research and Development Canada, are in the market for a new Internet monitoring platform that can analyze and filter the daily firehose of social media posts. The platform envisioned by the military will pull from the most popular social media sites — Twitter, Facebook, YouTube, Instagram — but will also track data from a much broader range of websites. Blogs, message boards, Reddit, even the comment sections on news sites will be brought in for review and analysis by as many as 40 intelligence officers. A spokesman for DND said the platform is not intended to be directed at Canadians’ online activity, and will comply with Canadian privacy laws. [The Star]

CA – Greg Clark Demands Fresh Probe into Alberta Shred-Gate Scandal

Nearly 350 boxes of documents destroyed improperly by outgoing PC government, privacy commissioner says Calgary MLA Greg Clark says the NDP must bring in new rules and penalties. “What’s important is that the rules are clear about what can be destroyed, and when it’s destroyed and why it’s destroyed and that we have a record of it having been destroyed and what it was before it was destroyed.” [CBC News]

CA – MP McGuinty to Chair Parliamentary Committee to Monitor Spying, Security

The Liberals are planning to table legislation by June creating the first all-party committee of parliamentarians to monitor the top-secret operations of Canada’s expanding national security establishment. public opinion polling shows many Canadians want a tighter watch over spy agencies and other federal intelligence gatherers, commensurate with their extended powers under C-51. [Source] [Canada campaigners to demand public debate on controversial anti-terror law ]

CA – Goodale says Canada Must Be ‘World Leader’ in Tackling Radicalization

Public safety minister promises more money for RCMP to fight home-grown extremism Responding to questions about recent media reports about children and others erroneously tagged on the no-fly list and flagged as national security risks, Goodale said existing regulations do not require secondary screening for children under 18 years of age. Airlines may be “going beyond what they are required to do,” he said. “They may have been misinformed or confused about the application of the rules.” Goodale also provided more details on ways the government could strengthen the no-fly list to ensure children aren’t erroneously barred from flights or subject to secondary screening. [Source] [Government may take extra steps to examine security agencies: Goodale]

CA – Pilot Project Has Victoria Buses Equipped With Audio Security

B.C. Transit has added audio security equipment to 109 buses already equipped with security cameras, all part of a pilot project to see how much the safety of operators and passengers can be improved by such devices. As of Monday, the audio will always be on in the operator’s compartment, at least until April, when the one-year $400,000 pilot project concludes. All but 25 of the buses are in Victoria; the remainder are in Kamloops. The change means that Transit conversations between the operator and a passenger will be recorded. “The audio recording is always on, just like the camera system, from the time the bus turns on until it is off. If there is an incident, the operators push a ‘tag’ button, which allow us to find it and download it after an incident.” As well as audio coming onstream, Monday marked the activation of two external side-mounted cameras on 13 buses in the Victoria fleet. Officials from the BC OIPC have talked to Transit security staff about surveillance concerns, but nothing has changed since commissioner Elizabeth Denham raised concerns in April. [Times Colonist] See also: [CA – The thorny issue of retention periods – Insurers Beware]


US – Majority of Parents Monitor Their Teens’ Digital Activity

The Pew Research Center surveyed parents of 13 to 17-year-olds and found that they’re taking a range of steps to keep track of their kids’ online lives and to encourage them to use technology appropriately and responsibly. [Source]

US – Americans Would Trade Privacy for Safety: Pew Study

When it comes to coaxing personal information out of Americans, a Pew Research Center report found certain factors, like safety, lead to greater acceptance than cost savings can. It turns out that the tipping-point issues in balancing these privacy concerns include: how valuable the benefit survey participants will receive is in return for their personal information, how they view the company or organization that is collecting the data, the length of time that the data is retained, and what is done with this data once it is collected. [Source]

WW – Lack of Trust Deters More Than a Third of Mobile Users From App Use

AVG Technologies and MEF’s global 2016 MEF Global Consumer Trust Report found that more than 36% of consumers have either procrastinated or eschewed some mobile apps altogether due to the privacy concerns the tools raise. This is the fourth consecutive year that concerns of this nature took the study’s top spot. “The data confirms what we know to be true: lack of trust is increasingly becoming a barrier to the use and proliferation of mobile apps,” said AVG’s Harvey Anderson. “One of the most interesting findings was that almost half of the consumers surveyed worldwide were willing to pay more for privacy-friendly apps that ensure that the data collected is not shared with third parties,” he added. [eWeek]


US – Contractors Must Ensure Adherence to DoD Interim Order on Cloud Computing and Sub-contracting

Government contractors must undertake to comply with the Department of Defense’s interim rules from August 2015 (cloud computing) and October 2015 (supply chain). Government contractors should ensure that the physical storage location of cloud services is within the United States or outlying areas of the United States, its employees, as well as employees of subcontractors, are aware of and bound by appropriate confidentiality obligations, implement a reasoned process to establish and verify suppliers under covered contracts as “trusted suppliers” (take steps to replace those that are unable to qualify). [Security Developments for Government Contractors – Squire Patton Boggs] See also: [Amazon Will Open First Cloud Data Storage Centers in Canada]


US – Yahoo Agrees to Settle Email Privacy Suit

Yahoo! has agreed to settle a class action challenging the way the company analyzes email messages to serve targeted ads to users of its popular Yahoo Mail service. The deal would settle claims brought on behalf of non-Yahoo subscribers who claimed their messages were intercepted, scanned and stored as part of communications with Yahoo Mail users. The settlement is subject to approval from U.S. District Court Judge Lucy Koh who has been overseeing In re Yahoo Mail Litigation, 13-4980. The proposed settlement doesn’t include a cash payout to class members. However, the company has pledged to make changes to its privacy disclosures and the architecture of its email system. [The Recorder]

Electronic Records

WW – Survey: Credential Theft, Alert Volumes Top List of Concerns

A survey from Rapid7 asked nearly 300 security professionals worldwide to list their top security concerns. 90% of respondents said they are worried about compromised credentials; 60% said they are unable to detect such attacks. 62% of respondents said that their organizations receive more security alerts than they can manage. [The 2015 Incident Detection and Response Survey] [CSO Online] [eWeek]


WW – 200 Experts Oppose Backdoors for Encryption

A group of 200 experts have urged the world’s governments not to introduce backdoors into encryption products in an open letter posted this week. echoing sentiments expressed by the Dutch government in a formal position on encryption that was published last week,. The letter addresses itself to “the leaders of the world’s governments” and urges them to support encryption as a way to “protect the security of your citizens, your economy, and your government.” The letter ends with a five-point argument that government should:

  • Not limit access to encryption
  • Not mandate backdoors
  • Not require that third parties have access to encryption keys
  • Not try to weaken encryption standards

Not pressure companies into breaking any of the previous four points [The Register] See also: [French government rejects crypto backdoors as “the wrong solution” ]

US – Juniper Networks Will Replace Questionable Components from its Products

Juniper Networks says it will remove code developed by the NSA from its firewall products. The code was found to silently decrypt traffic sent through virtual private networks. Juniper plans to replace a cryptography component in its ScreenOS operating system. [ArsTechnica] [Wired] [eWeek] []

US – FTC Fines Encryption Software Company $250,000

Henry Schein Practices Solutions, Inc. has agreed to settle FTC charges that it misled customers about encryption of patient data. An FTC agreement (in effect for 20 years) resolves complaints that a software company deceptively claimed that its product provided industry-standard encryption of sensitive patient information as required by the Health Insurance Portability and Accountability Act; the company is required to notify all affected customers within 60 days, establish a toll free number and email address to respond to inquiries, and provide customer information to enable the FTC to administer consumer redress. [FTC In the Matter of Henry Schein Practices Solutions Inc – Agreement Containing Consent Order]

US – Interior Department IG Finds Laptop Encryption Ineffective

According to an advisory from the US Interior Department’s Deputy Inspector General, misconfigured software on nearly 15,000 department laptops could lead to data theft. Although the full-disk encryption software was initially configured to run pre-boot authentication, settings have been altered so the computers run post-boot authentication, making the data on the systems vulnerable to a specific attack. The advisory recommends that Interior’s CIO “mandate the use of pre-boot authentication on all laptops and implement a monitoring and enforcement program that mitigates noncompliant systems.” [Desert News] [FedScoop] [DOI IG Report] See also: [Ransomware Evolution: Another Brick in the CryptoWall]

EU Developments

UK – Tougher Sentencing Powers Needed to Deter Data Thieves, Says ICO

The UK information commissioner Christopher Graham has called for stronger sentencing powers for people convicted of stealing personal data, after a woman who sold 28,000 pieces of sensitive driver data was fined just £1,000. [The Guardian] [UK privacy watchdog wants to be able to send data thieves to prison: Resumes campaign for new powers] SEE ALSO: [Journalists warned that ‘snoopers’ charter’ bill is part of ‘no privacy for us, no scrutiny for them’ Government strategy] [“UK doesn’t do mass surveillance,” claims Theresa May in bid for new Snooper’s Charter. End-to-end crypto is fine, apparently, but information must be “readable.“ Hmm] [ICO Questions Data Retention Plans Under Snoopers’ Charter Draft] [Here are the warnings from Facebook, Google, other firms about Britain’s proposed “mass surveillance” law] [U.S. Tech Giants Join Forces Against U.K. Spying Plans] [Tech giants call on UK government to ensure new surveillance laws are ‘jurisdictionally bounded’]

EU – EDPS Issues Recommendations for EU Communications Data

The European Data Protection Supervisor has issued guidelines for processing of the following categories of electronic communications data (“eCommunications) for EU Institutions: telephone; email; and internet. Key recommendations include defining the content and conservation period of security logs, ensuring generated statistics are anonymous, informing staff and callers of possible recordings before they happen; ensure covert monitoring of employees undergoes a prior check, has a compelling justification and includes a register of all authorisations and instances of monitoring. [EDPS – Guidelines on Personal Data and Electronic Communications in EU Institutions]


US – The NSA Said It Needs 4 Years to Answer a FOIA About a Coloring Book

Since at least 2005, the NSA has employed a cast of cartoon cats, squirrels, turtles, and other woodland creatures who like to encourage children to pursue the politically important subject of cryptography and perhaps eventually a job in national security. Crypto Cat and crew espouse many virtues, but “transparency” and “timeliness,” do not appear to be among them. [Source]

CA – BC Judge rules to Open Secret Terror Hearing

B.C. Supreme Court Justice Catherine Bruce ruled that it is possible to protect the privacy and safety of a Canadian Security Intelligence Service source without the need to keep a hearing entirely confidential in connection to the investigation of John Nuttall and Amanda Korody. The fundamental principle of open court means that in-camera hearings should only be used as a last resort when other security measures won’t work, Bruce said in her ruling. “I find there is scope for a more limited order than was originally proposed.” [Source]

US – Librarians Purge User Data to Protect Privacy

US libraries are doing something even the most security-conscious private firm would never dream of: deleting sensitive information in order to protect users. Multiple librarians have pushed back against “national security letters” that would do just that in the name of public safety – a dangerous order to resist, since those letters include a gag order. But in 2005, when the FBI served a national security letter to Connecticut’s Library Connection demanding reading records and hard drives, the librarians resisted with such force that the government capitulated. The American Library Association had their backs, resolving unanimously to “condemn the use of National Security Letters to demand any library records”. [Source]

Health / Medical

US – HHS Unveils New Tools to Help Patients Understand HIPPA Privacy Rules

Federal agency says people too often face obstacles to accessing their health information. “Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule,” Jocelyn Samuels, HHS director of the Office for Civil Rights wrote. “This must change.” [Source]

UK – NHS-Backed Health Apps ‘Riddled With Security Flaws’

All of the NHS-approved apps audited by a private firm lacked binary protection against code tampering, and most also lacked adequate protection in the transport layer. Flaws also emerged in FDA-approved health apps in use in the US. Arxan found at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks in 90 per cent of the 126 apps investigated. More than 80% of the health apps tested that were approved by the US FDA or the UK NHS were also found to have at least two of the OWASP Mobile Top 10 Risks. The findings are part of Arxan’s 5th Annual State of Application Security Report, which this year focused on healthcare and finance apps. The upshot is that mobile health apps approved by regulatory/governing bodies are nearly as vulnerable as other mobile apps. [Source]

Horror Stories

CA – Halifax Man Finds Apparent Military Hard Drive at Recycling Depot

A 30 G hard drive found at a recycling depot that a Halifax man says contains personal information including the names and numbers of defence personnel has been taken by the military. Pete Stevens said he recovered about 10 G of data from the 30 G hard drive, including 6,000 photos, spreadsheets with the names and numbers of military personnel and their families, and completed applications for security clearance. [CTV News] [CBC: Canadian military investigating after hard drive found at recycling depot]

CA – Sask RN in Deep Over Facebook Posts About Her Granddad

A Prince Albert nurse could be disciplined for writing a Facebook post about the “subpar care” her grandfather received in a Macklin hospital. A registered nurse at St. Joseph’s reported the comments to the Saskatchewan Registered Nurses’ Association (SRNA), the provincial body that regulates nurses. The SRNA charged Strom with professional misconduct. It’s the first time the association has laid such charges against a member for comments made on social media. The SRNA argues Strom violated the provincial Health Information Protection Act by disclosing her grandfather’s confidential health information online, failed to raise her concerns with the appropriate people and tarnished the reputations of St. Joseph’s and its staff. Because Strom identified herself as a registered nurse in her post, she “engage(d) the professional image of registered nurses in general as well as (her) personal professional obligations,” SRNA said in the hearing notice. Strom said she was “shocked” by the charges. “What worries me about this is: Is this going to hinder future family members, who just happen to be health-care workers, from advocating for their family members for fear of retribution from the SRNA?” she asked. “It bothers me.” [Saskatoon StarPhoenix] [Editorial: Questionable case of misconduct] [CBC: Facebook post leaves Prince Albert, Sask. nurse charged with professional misconduct]

Identity Issues

CA – Manitoba Government Approves All-In-One Personal Identification Card

Manitobans will soon have access to an all-in-one personal identification card (PIC). The PIC will integrate a person’s health identification number (PHIN) onto the back of driver’s licences and photo identification cards, which are expected to be issued starting in the fall of 2017, and will be authenticated using industry-proven policies, procedures and practices currently in place at Manitoba Public Insurance. Manitoba Public Insurance already issues photo identification to approximately 92% of health card holders. Anyone who requires a Manitoba Health Card will transition to a new PIC at no charge. Manitoba Public Insurance launched a comprehensive, five-week public and stakeholder consultation process last August. More than 4,000 Manitobans and 29 stakeholder organizations provided input. The full consultation report is available for viewing on the MPI website at [Source]

Online Privacy

EU – German Court Calls Facebook’s Find-a-Friend Function Illegal

A German court has ruled that Facebook Inc.’s current find-a-friend function is illegal, labeling it an unacceptable and intrusive form of advertising. The decision by the Federal Court of Justice this week upholds a previous ruling by a lower court against Facebook, which has faced a number of legal disputes in Europe regarding privacy protection. Facebook’s find-a-friend function accesses users’ email address books and sends invitations to contacts who aren’t yet members of the social-network site. [WSJ]

Privacy (US)

US – Patients Can Sue for Data Breach Based on Data Exposure Alone: Court

A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information.  This decision is significant for several reasons. First, the case represents a comparatively lax approach to standing, in which alleging the mere exposure of information with the potential for access and misuse by unauthorized persons pleads sufficient injury to establish standing and survive a motion to dismiss. In contrast, in Clapper, the U.S. Supreme Court held that plaintiffs who alleged that the NSA actually had access to their private telephone and email conversations through its surveillance program still lacked Article III standing to sue based on the theory that their communications would be obtained at some future point. In other words, the threat of future injury was insufficient to support Article III standing even where access, not just exposure, to private information was actually alleged. 113 S. Ct. 1138, 1143 (2013). [Source] See also: [US – The new way police are surveilling citizens: Calculating their threat ‘score’]


EU – Companies Unprepared for EU GDPR: Study

IT governance & technology deficiencies impede organizations from complying with “Right to be Forgotten” & EU GDPR By 2018. Although 46% of global organizations received customer requests to remove data in last 12 months, 41% lack defined processes, documentation and technology, according to Blancco Technology Group study. Key corporate security trends that surfaced from the study include: Awareness of GDPR is high (48%) among global IT professionals, but their level of preparation is much lower. 40% admit to being less than fully prepared – with 16% still needing to find the right data removal software, 9% uncertain of how and where to start, and finally, 15% not even knowing if they are prepared. Lack of documentation, processes and tools increases the likelihood of GDPR violations. 60% of the surveyed IT professionals stated that it would take their organisation up to 12 months to implement the necessary IT processes and tools to pass a “right to be forgotten” audit, while 25% do not know how long it would take. Data erasure software (48%) tops the list of the most valuable type of technology to ensure GDPR compliance, followed by encryption key removal tools (26%) and malware removal tools (10%). IT professionals inside and outside of Europe (65%) are keen to implement data protection laws similar to the framework of EU GDPR. [Security News]

US – PCI SSC Explains How to Respond to a Data Breach

Recently, the Payment Card Industry Security Standards Council (PCI SSC) published a three-page guide titled “Responding to a Data Breach” that articulates its position on the correct response to a security incident at a merchant location where the attack exposed cardholder data. The guidance also highlights some of the difficulties in developing proper response procedures, specifically the challenges in mapping out complete, thorough procedures that actually hold up under the stress of an actual incident. [Privacy Advisor]

WW – Known Vulnerabilities Cause 44% of All Data Breaches: Study

Most IT experts are well aware of the need to patch vulnerabilities in their systems as soon as possible, but despite this, known security issues remain the leading cause of corporate data loss and production downtime in the enterprise. That’s the biggest finding of BMC Software Inc.’s latest security survey, The Game Plan for Closing the SecondOps Gap. The report, which was conducted by Forbes Insights on behalf of BMC and surveyed more than 300 C-level executives from U.S. and European firms, found that known vulnerabilities are the leading cause of data breaches, accounting for 44 percent of all such incidents. [Source]


US – New York to Appoint Civilian to Monitor Police’s Counterterrorism Activity

The NY City mayor will appoint an independent civilian to monitor the New York Police Department’s counterterrorism activities, as they moved to settle a pair of lawsuits over surveillance targeting Muslims in the decade after the Sept. 11 attacks. With the settlement, the surveillance of Muslims becomes a chapter in the long history of controversial police tactics in New York. [New York Times]

EU – Belgian DPA Requests Opinion of US Surveillance Laws Under Schrems

The European Court of Justice (ECJ) failed to take into account numerous changes in U.S. surveillance practices when it invalidated the Safe Harbor program in the Schrems case, according to a report by Prof. Peter Swire. The Schrems decision reflected a “serious misunderstanding of U.S. national security law,” the report concluded. Swire finds that the U.S. legal order as related to privacy and surveillance is:

  • “essentially equivalent” to the EU’s,
  • that the ECJ came to the wrong conclusion regarding section 702 of the PRISM program, and
  • that the decision neglected the two dozen significant reforms the U.S. has made to its surveillance practice since 2013.

The Belgian Privacy Authority requested that the report answer two questions for a forum on the Schrems decision that it hosted:

  1. Is U.S. surveillance law fundamentally compatible with EU data protection law?
  2. What actions and reforms has the U.S. taken since Edward Snowden’s revelations of U.S. government surveillance began in June 2013? [More at]

US – Why the Non-Malicious Insider Is Quickly Becoming a Huge Threat

Despite the steadily increasing number of enterprises adopting security software, which has proved important in enabling companies to more successfully secure and track sensitive data, there is a big missing link to tie all of these efforts together: employee education. According to a recent survey we conducted with CoSoSys customers, 35% of enterprise employees think that data security is not their responsibility. This is a serious issue when you consider that 70% of these employees have access to and use confidential company files. Additionally, 60% don’t even know which files are confidential or not. When you add disgruntled or recently fired employees whose system access had not yet been revoked to the mix, companies are leaving themselves open to a potentially devastating breach. [Source]

US Government Programs

US – New Student Database Slammed by Privacy Experts

The U.S. Education Department’s new planned system of records that will collect detailed data on thousands of students — and transfer records to private contractors — is being slammed by experts who say there are not adequate privacy safeguards embedded in the project. The non-profit Electronic Privacy Information Center, or EPIC, told the department in a January 2016 formal complaint that its new system of records for the “Impact Evaluation of Data-Driven Instruction Professional Development for Teachers” violates the Privacy Act by: (1) collecting irrelevant and unnecessary information and (2) not clearly stating the purpose of the proposed routine use disclosures. [Washington Post] [The astonishing amount of data being collected about your children]

US – Report: Feds Leave 42% of Cybersecurity Recommendations Undone

The Government Accountability Office discovered that out of its 2,000 recommendations on cybersecurity for federal agencies in the past six years, 840 remain undone, for a completion rate of 58%. This number contrasts greatly with the average completion rate for general recommendations of 80%. “Implementing this and other outstanding recommendations could better protect federal data and federal agencies’ responses to cyberattacks and data breaches,” the agency wrote in a blog post. [FedTech]

US Legislation

US – House Passes Substantial FOIA Reforms

Congress has passed the FOIA Oversight and Implementation Act, H.R. 653, which would limit exemptions that allow agencies to withhold public records, create an online portal for FOIA requests, and require agencies to post frequently requested documents. Open government advocates and members of Congress have criticized federal agencies for lax compliance with the Freedom of Information Act. The House Oversight Committee concluded that “[e]xcessive delays and redactions” have undermined the Act.” The FOIA Ombudsman criticized the Transportation Security Administration for its “weak management” and lack of a “FOIA tracking system.” EPIC has pursued many FOIA cases.EPIC and a coalition previously urged President Obama to strengthen the FOIA by committing to a “presumption of openness” and narrowing the use of FOIA exemptions. [Source]

Workplace Privacy

EU – EDPS Issues Guidelines on Work-Related Use of Mobile Devices

The European Data Protection Supervisor issues guidelines on protection of personal data in mobile devices (“devices”). The guideline examines risks for personal data processed on mobile devices (leakage of personal data and compromised credentials), applicable procedures for lifecycle management of devices (i.e. mobile device inventory and asset disposal), and necessary security measures, such as remote wipe and lock, user and application access restriction, secure logs and audit trails, full disk encryption, and application whitelists and blacklists. [EDPS – Guidelines on the Protection of Personal Data in Mobile Devices Used by European Institutions]



1-8 January 2016

Big Data

US – FTC Issues Guidance on Big Data

The report looks at the end uses of that ubiquitous collection of data from a variety of sources after it has been analyzed and chronicles such upsides as boosting education, non-traditional access to credit, specialized healthcare and access to employment. But it also surveys risks, which it identifies as “inaccuracies” about certain groups, exposing sensitive information, targeting vulnerable consumers for fraud, increasing the price of goods in lower-income communities, and reducing consumer choice. [Broadcasting News] [Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues] SEE ALSO: [Data in 2016: 5 Trends That Will Drive Big Data]


CA – IPC Recommendations to Protect PHI When Using Various Technologies

The IPC has provided guidance on best practices for protecting personal health information. When retaining PHI on mobile or portable devices, strong encryption should be used (keys should be of a sufficient length and error messages should be monitored and responded to immediately) and the device should have strong password protection (random string of letters, numbers and symbols). Shared electronic health record systems should have harmonized policies and procedures that address training, consent management, breach management, complaints and inquiries. [IPC Presentations From the 2015 PHIPA Summit]


US – Pew Survey Indicates Confusion Over Online Data-Sharing Decisions

A new Pew Research Center survey indicates a “significant minority” of American adults have felt confusion about whether to share personal information with companies. The survey found that while 50% said they were confident they understood what would happen with the information they shared, 47% said they were not. 35% of respondents said they were discouraged with the effort required to try to understand data uses, while 38% said the information provided in various companies’ privacy policies confused them. 29% said they found themselves impatient in that they needed to make a decision quickly but felt they wanted to learn more. [Full Story]

US – Study Finds Simplified Privacy Notifications Ineffective

A new survey-based study by two University of Chicago Law professors published on the Social Science Research Network found that the simplification of privacy disclosures did not modify user behavior. “Simplification of disclosures is widely regarded as an important goal and is increasingly mandated by regulations in a variety of areas of the law,” said the study authors. “In privacy law, simplification of disclosures is near universally supported.” However, “our results reveal that none of the simplification techniques help inform respondents or affect their behavior. They call into further question the wisdom of focusing much regulatory effort on improved disclosures,” they continued. [Source]

Electronic Records

UK – NHS to Implement Platform that Integrates Imaging, Genomic Data

England’s National Health System will be implementing an integration platform that will link medical imaging and genomic data, with the intent of bringing together key information at the point of care. The NHS will be rolling out the system from Kanteron Systems that will allow NHS to have exclusive and unrestricted access to its medical imaging and genomic data integration platform. Kanteron is working with various technology partners that have significant business with U.S. healthcare providers. They include IBM, Microsoft and Hitachi Data Systems. Kanteron executives said the company will offer additional services, such as consulting, implementation, integration, migration, tech support and more, to support adoption of new clinical workflows. [Source]


EU – Dutch Govt Rejects Backdoors in Encryption

The Dutch government has published a position paper in which it opposes the ideas of creating backdoors in encryption products. The paper says, in part, “The government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability, and use of encryption within the Netherlands.” The paper notes that placing backdoors in the products “would also make encrypted files vulnerable to criminals, terrorists, and foreign intelligence services.” [The Hill] [The Register] [Dutch government backs strong encryption to contradict UK stance] [Security experts support Dutch stance on encryption] [What lessons can the UK learn as the Dutch champion data encryption, oppose backdoors] See also: [David Chaum, the Father of Online Anonymity, Has a Plan to End the Crypto War] and [There’s a huge debate over an encryption expert’s plan solve the problem of online privacy]

EU Developments

EU – EU Commission Provides Overview of Data Protection Reform

The European Commission released a fact sheet regarding the impact of the “General Data Protection Regulation (the “Regulation”). The GDPR safeguards freedom of expression and historical/scientific data (through the right to be forgotten) and provides specific protection for children (parental consent required for processing of minors); the use of Big Data analytics is encouraged (through GDPR promotion of anonymization, pseudonymization and encryption), and the one-stop shop mechanism positively impacts companies (they only have to deal with 1 DPA, and will receive more consistent and faster decisions). [European Commission – Questions and Answers – Data Protection Reform] [PrivaWorks] Final drafts out of the trilogues: Final GDPR Text, December 15, 2015 | Final DPD Text, December 15, 2015] SEE ALSO: Top 10 operational impacts of the GDPR (IAPP Privacy Advisor): Part 1 – data security and breach notification | Part 2 – The mandatory DPO | Parts 3-10 TBD

EU – NIS + GDPR = A New EU Breach Regime

European lawmakers capped off a blockbuster week for privacy with an important step towards the first comprehensive information security legislation in the EU. The Network Information Security (NIS) Directive was initially proposed by the European Commission in February 2013 to raise cybersecurity capabilities across the EU’s 28 member states. After more than two years of negotiation, the European Council reached an informal agreement with the Parliament on December 7, and the agreed text was approved by the Member States December 18. The text now must undergo “technical finalisation,” and then needs to be formally approved by both the Council and the Parliament, which is expected, according to the Council, this spring. Member States will then have 21 months to implement the Directive into law, passing their own legislation in accordance with the Directive. The Directive aims to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers,” according to a Council press release. To that end, it will require operators take measures to manage cyber risks and report security incidents. The Parliament and Council disagreed over which operators would be subject to the provisions. Ultimately, they extended the measures to operators of “essential services” and digital service providers. Perhaps most importantly for privacy and data protection professionals, the Directive introduces breach notification requirements that extend beyond those of the General Data Protection Regulation (GDPR). Unlike the GDPR, which mandates notification only when there is a risk to personal data, the Directive requires operators to notify competent authorities whenever there is a substantial impact on the provision of the operator’s service. Thus, while the GDPR includes security and notification provisions to protect personal data, the Directive seeks to improve security safeguards and the sharing of knowledge on cybersecurity threats. {IAPP Privacy Tracker]

EU – EDPS Releases Guidelines on E-Communications, BYOD

The European Data Protection Supervisor (EDPS) has published two sets of guidelines for EU institutions and bodies on personal data and electronic communications as well as personal data and mobile devices. The EDPS said the guidelines aim to help EU institutions comply with data protection rules, but they’re really applicable to any organization. In the guidelines, EDPS Giovanni Buttarelli said EU bodies looking to implement BYOD should look at the benefits of doing such processing “taking account of the risks and invasiveness that such use may imply.” [Press Release] SEE ALSO: [EDPS – Response to the Commission Public Consultation on the Regulatory Environment for Platforms, Online Intermediaries, Data and Cloud Computing and the Collaborative Economy]

EU – EDPS Opinion Calls for Enhanced Controls on Surveillance Tech

In a recently published opinion, European Data Protection Supervisor Giovanni Buttarelli called for enhanced controls on the export of technologies used for communications surveillance and interception. He said there is a “tension between the positive use of ICT tools and the negative impact that the misuse of technology can have on human rights, and especially on the protection of personal data and privacy.” Buttarelli said national and EU policies should address the tension but so should “all actors involved in the ICT sector.” [Full Story] See also: [EU privacy watchdog to set up ethics advisory group]

UK – ICO: Govt Should Not Have Right to Access Citizen’s Private Data

The UK government and security services shouldn’t have “willy-nilly” access to citizen’s digital communications and online activities, the Information Commissioner has warned. Such powers would represent an excessive invasion of privacy, he added. Christopher Graham made the comments while presenting evidence to a House of Lords Joint Committee on the draft Investigatory Powers Bill. The draft Bill – dubbed the “Snooper’s Charter” by critics – was introduced by Home Secretary Theresa May last year. It explicitly authorises security services to bulk-collect personal communications data and makes it illegal to even ask in court whether evidence was obtained via bulk surveillance. However, Graham warned that the legislation must not give the government carte blanche for collecting and storing citizen’s private data. “Simply by the fact that we’re all doing business, social actions and communications digitally, wherever we go, whatever we do; like it or not, we leave a digital trail,” he told the Joint Committee, and argued that data protection legislation requires much of this to remain private. “The challenge for the data protection framework is to make sure that remains private where it should be private.” Graham told the Committee that it shouldn’t be the case the state can access all of a citizen’s private data, just because it wants the power to do so. [Source] See also: [Facebook, Google, Twitter unite to attack ‘snoopers’ charter’] [UK mass surveillance ‘totalitarian’ and will ‘cost lives’, warns ex-NSA tech boss]

EU – German Federal DPA Completely Independent as of January 1, 2016

The federal German data protection authority (“DPA”) issued an update for 2016. A German law, effective January 1, 2016, establishes the federal DPA as the supreme federal authority (comparable to the Federal Court) and entirely independent, responsible only to Parliament; the DPA’s decisions are subject to judicial review. [DPA Germany – Update and Outlook for 2016]


CA – Investment Industry Regulator Issues Security Guide for Dealer Members

The Investment Regulatory Organization of Canada (“IIROC”) issued a guide for cyber incident management planning for small and mid-sized Dealer Members. The guide outlines possible causes of a cybersecurity incident, signs of possible information system compromise and recommendations for the phases of incident management (plan and prepare, detect and report, assess and decide, respond, and post-incident activity); an incident checklist is provided (whether there is a plan in place or not). [IIROC – Cyber Incident Management Planning Guide for IIROC Dealer Members]


CA – Law and Info Groups Challenge ‘Far-Reaching’ Retroactive Law

A retroactive Conservative law buried in last spring’s omnibus budget bill fundamentally undermines the rule of law and government access-to-information systems across Canada, according to court submissions in a paused constitutional challenge. Twelve of Canada’s 13 provincial and territorial information commissioners, as well as the Criminal Lawyers’ Association, are seeking intervener status in the case, which challenges the former government’s unprecedented rewrite of an old law to get the RCMP and any other government official off the hook for illegally destroying long gun registry records. The case, brought by federal information commissioner Suzanne Legault on behalf of individual Bill Clennett, is one of the messier legal challenges the new Liberal government will have to mop up in 2016. [GlobalNews]

CA – IPC Requires Ministry to Reveal Marijuana Grow-Op Info

This IPC order reviews the decision of the Ministry of Community Safety and Correctional Services to withhold records requested under FIPPA. Due to health and safety threats posed by properties formerly used for marijuana grow-operations, it is in the public interest for certain records to be released which provide address, dates and amounts of marijuana seized during OPP investigations; in the absence of sufficient evidence of an indoor marijuana grow-operation, the compelling public interest in disclosure of those records no longer exists and should not be disclosed to the public. [IPC ON – Order PO-3547 – Ministry of Community Safety and Correctional Services] See also: [Interim Order PO-3555 – IPC Upholds York University Decision to Deny Access to Security Reports]

CA – 2010 Olympic Records Are Not in Control of 3 Public Bodies: BC OIPC

This OIPC order reviews the decision reached by the City of Vancouver, the Resort Municipality of Whistler and the Ministry of Finance (collectively, the “public bodies”) relating to records requested pursuant to British Columbia’s Freedom of Information and Protection of Privacy Act. The Adjudicator agreed with the two municipalities and a government department that the records are not in their custody (e.g. Olympic committee bylaws determined the storage and inspection of the records) or control (e.g. the public body lacks the contractual authority to regulate the records’ use, disclosure and disposition). [OIPC BC – Order F15-65 – City of Vancouver, Resort Municipality of Whistler and the Ministry of Finance]

CA – Clayton: Post-Election Document Destruction Illegal

After an investigation of widespread document destruction by the Progressive Conservatives after losing an election to the NDP last year, Alberta Privacy Commissioner Jill Clayton and Public Interest Commissioner Peter Hourihan found that lack of oversight and accountability demonstrates the need for an overhaul of the province’s records management system. The joint investigation found that no one monitored the shredding of a vast amount of government documents. “Robust and accountable records management programs are critical to ensure Albertans can exercise their access to information rights,” Clayton wrote. “This investigation found there was confusion about the rules guiding records management, and there were no consequences for not following rules.” [Document shredding rules not followed after Alberta election, investigation finds] See also: [New details about Calgary healthcare workers privacy breach]

US – New Resource from ProPublica Aims to Simplify Info Access

ProPublica’s new online Policing Patient Privacy and HIPAA Helper tools allow the curious to stay on top of the healthcare privacy community’s goings-on as well as check to see if his or her hospital or healthcare provider was amongst the hacked. Among the newest stories in the Policing Patient Privacy database is a ProPublica report on the Department of Veterans Affairs mistakenly sending incorrect veteran data to war widows and an additional study on how companies rarely face serious consequences after repeated bungles. Meanwhile, the Department of Health and Human Services published a chart that ranks the top five healthcare privacy grievances by year, with “impermissible uses and disclosures” taking the top spot from 2004 through 2014. Healthcare records breached in 2015 topped 112 million. [ProPublica]


JP – Gov’t Says Genomic Info Considered PII

A panel of Japanese experts has decided genomic information should be considered personal information under the newly revised privacy act approved in September. The information will now be classified just as digitized facial features and fingerprints are, and genomic data related to diseases will be considered highly sensitive personal information. The government plans to add rules this year to cover grey areas surrounding protecting genomic data. [Lawyer Herald]

Health / Medical

CA – IPC Issues Guidance on Use of Health Card Numbers

The IPC released a FAQ’s on the use of health cards and health numbers by healthcare professionals pursuant to the PHIPA. Individuals have a right to refuse to provide their health cards and health numbers to a person who is not a custodian (custodians are persons and organizations prescribed in the regulations permitted to collect, use or disclose health numbers), but disclosure must be voluntary; it is an offence under PHIPA to require the production of a health card, except if it is required by a person or organization that provides provincially funded health resources to the individual. [IPC – Health Cards and Health Numbers – The Personal Health Information Protection Act]

Horror Stories

US – Comcast to Pay Penalty of $19,850,000 for Multiple Privacy Violations

The Superior Court of the State of California issued a stipulated judgment filed by the California Attorney General (“Plaintiff”) against Comcast Cable Communication LLC (“Defendant”) for unlawful: disposal of customer information; and hazardous waste disposal practices. Customer records (name, address and phone number) were disposed of without being shredded, erased or made unreadable or indecipherable; the company must designate a Privacy Officer responsible for overseeing its customer record disposal procedure, train employees on the procedures and post prominent signage about the procedures at its facilities. A third party auditor must conduct random audits to evaluate compliance with the procedures within 18, 36 and 54 months. [The People of the State of California v Comcast Cable Communications LLC – Complaint and Stipulation for Entry of Final Judgment – Superior Court of the State of California – County of Alameda | Press Release ]

Identity Issues

US – IRS Provides Tax Break on Pre-Breach ID-Protection Programs

The IRS is offering new tax relief for employers that offer pre-breach identity-protection services for employees. According to IRS Announcement 2016-02, employers do not have to count the value of the protection service in an employee’s wages and gross income or report the amounts on a tax return. However, the new provision “does not apply to cash received in lieu of identity protection services,” the IRS wrote, and “does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.” []

US – Backlash Encourages IRS to Kill Non-Profit Donor Data-Sharing Scheme

After receiving nearly 38,000 public complaints, the International Revenue Service (IRS) withdrew its proposal that would permit non-profits to collect the Social Security numbers of select donors. Although the IRS maintained that the program was created to safeguard donor privacy and keep reporting simple for non-profits, many were nonplussed, and the axing of the proposed system incited widespread celebration from groups like the Tea Party Patriots and the National Council of Nonprofits (NCN). “Nonprofits have neither the financial resources nor sufficient staffing to combat hackers who will see an easy source for Social Security information,” said the NCN CEO. “This also creates a liability nightmare for innocent nonprofits. … To be asked to share their address, their credit card number, and their Social Security number all in the same place would be enough to scare even the most committed donor to decline to give.” [The Daily Signal]

SG – Singapore DPA Recommends Use of Anonymization Methods

The data protection authority in Singapore issued an e-newsletter providing guidance on anonymization. Common anonymization techniques include masking (e.g. certain data details removed while preserving the essential look and feel of the data), pseudonymization (identifiable data replaced with randomly generated values from which an identity cannot be inferred), aggregation values (displayed as a total figure), replacement (average figure replaces a value), and data suppression (a range is used instead of specific values). [Personal Data Protection Commission, Singapore – Anonymisation: Managing Personal Data Protection Risk]

Internet / WWW

WW – Microsoft to Warn of State-Sponsored Attacks

Microsoft has revised its account breach notification policy to specify when it suspects that state-sponsored attackers have targeted a user’s email or cloud services account. While Microsoft already has a policy in place that calls for notifying users of account breaches, the decision to identify a breach as coming from a state-sponsored entity was made “because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others.” [SC Magazine] [Bloomberg] [Washington Post] SEE ALSO: [Microsoft failed to warn victims of Chinese email hack: former employees]

US – Free Public Wi-Fi in NYC

New York City plans to install 10,000 free public Wi-Fi hotspots. Once operational, the kiosks will provide 2.0 strength in a 150-foot radius, as well as USB chargers, touchscreen Internet access, and free phone calls within the US. The project expected to realize US $500 million in advertising revenue over 12 years. The plan calls for the first 500 kiosks to be up within the next six months; 4,500 additional hubs are expected to be established over the next four years. The system will be encrypted. [CS Monitor]

Law Enforcement

CA – BCCLA to OIPC: Audit Use of Mobile Cop Surveillance Towers

Micheal Vonn, policy director for the B.C. Civil Liberties Association, said she has concerns about the deployment by law enforcement of new tower cameras over the holidays — particularly whether they have the capability to see into people’s homes — but cautioned that the association hasn’t concluded such equipment is unnecessary. “What we don’t want to start out by saying is that this kind of camera could never be justified — that’s not our position,” Vonn said. “But given the sensitivity of the information regarding the deployments, how can we know when it’s being appropriately deployed?” Vonn suggested the BC OIPC  consider an audit to determine whether the tower camera, which is also used by Abbotsford police and some other local police forces, is being used in a manner that doesn’t infringe on residents’ privacy rights. [Vancouver Courier]

Online Privacy

The Privacy Advisor’s Top 10 Stories of 2015

Between the U.S. President’s historic visit to the Federal Trade Commission to identity, privacy and data protection as priorities this year to the European Court of Justice invalidating Safe Harbor and the European Commission introducing the privacy reform that will change the privacy landscape globally, it’s been quite a year for the privacy profession. Here’s a look back at the top 10 stories reported in The Privacy Advisor, ranked by the number of reads each story got.

  1. Obama Stops by FTC; Announces Privacy Bills on ID Theft, Student Data, Consumer Privacy
  2. Cookies Are So Yesterday; Cross-Device Tracking Is In
  3. Safe Harbor Invalid, Rules ECJ
  4. GDPR Is Here: What’s a Privacy Pro To Do Next?
  5. With Safe Harbor Invalid, What’s a Privacy Pro To Do?
  6. Third-Party Vendor Management Means Managing Your Own Risk
  7. Would a Law Degree Take Your Privacy Career to the Next Level?
  8. His Task? Start Up a Privacy Program at a Start-Up
  9. How To Operationalize the PIA
  10. FTC’s Security Guide: A Sure-Fire Way To Stay Out of Trouble?

[Source] See also: [Why 2015 Was a Historic Year for Privacy]

US – Judge Allows Class-Action Against Yahoo to Proceed

In Chicago, a federal judge allowed a class-action lawsuit against Yahoo to proceed, which could make Yahoo liable for up to $1,500 in damages for each text message it sent to non-Yahoo customers on Sprint’s wireless network in March 2013. The suit claims Yahoo violated telecom rules by sending users who signed into Yahoo Messenger a follow-up text even though users had not given consent to be contacted. Yahoo could pay up to $750 million total “given that as many as 500,000 people could be covered in the class-action,” [Washington Post]

Privacy (US)

US – DHS Offers Drone Privacy Best Practices

The Department of Homeland Security Unmanned Aircraft Systems Privacy, Civil Rights and Civil Liberties Working Group has released 15 best practices for government agencies working with the emerging technology. In a joint statement, the co-chairs of the working group write, “The DHS Working Group neither proposes nor intends that this document regulate any other government entity. Our goal, rather, is simply to share the best practices we have identified as helping to sustain privacy, civil rights, and civil liberties throughout the lifecycle of an unmanned aircraft systems program.” The ACLU, however, said the guidelines are vague on data retention limits of collected data. [Federal News ERadio] See also: [UK Police to use drones for burglaries, sieges, protests] See also: [Drone Law Journal Launched]

US – DHS Releases New Year’s Resolutions for Privacy

The Department of Homeland Security’s Privacy Office reflects on its privacy progress while postulating on the future within its 2015 review. The office shed light on its involvement with the U.S.-Canada Beyond the Border Action Plan and the U.S.-E.U. Data Protection and Privacy Agreement. Among its 2016 plans is a DHS mobile app privacy policy and involvement in the Automated Indicator Sharing Initiative, in which the office will aim to “develop an automated, near-real-time capability and process for the Department of Cybersecurity and Communications Integration Center, to send and receive cyber threat indicators from government and private organizations.”[Federal News Radio reports]

US – CRS Sheds Light on Enforcement Authority in Data Breach Legislation

Most of the bills would task FTC with most of the enforcement duties, said a recent CRS report, but the legislation differs on whether the FCC should retain its existing enforcement authority over data security and breach notification for telecommunication providers. The transparency group Federation of American Scientists obtained the report and made it publicly available. [FierceGovtIT] See also: [LabMD and Wyndham Decisions Curtail FTC’s Data Privacy and Security Reach]

US – PrivacyCon to Hit Washington Jan 14

The FTC has announced the full agenda for PrivacyCon, a free and publicly accessible event, on January 14. Industry delegates, researchers, and government representatives will convene in Washington to discuss privacy and data protection research from a broad collection of academics. Among the research presentations is Cornell researcher Vitaly Shmatikov’s discovery that due to “subtle bugs,” some ads now have the ability to report a user’s medication usage and sexual preference, as well as his or her location. Registration for the event is on a “first come, first serve” basis. This event will be webcast [Source]

US – Data Privacy Day Observed by NCSA with State of Privacy Event

The National Cyber Security Alliance (NCSA) is hosting a State of Privacy event at the Pew Charitable Trusts in Washington on January 28, more formally known as Data Privacy Day. Speakers like the FTC’s Julie Brill and EDPS Giovanni Buttarelli, among others, will discuss both “consumers’ view on privacy” and “developing a sustainable big data ecosystem.” The free and publicly accessible event aims to “initiate a practical and solutions-focused dialogue addressing the current state and future of privacy.” [Full Story]


WW – 10 Data Security Trends That Will Impact You in 2016

Considering the events of the past year, here’s my take on trends and predictions for 2016.

  1. Consolidation of IT Security: The IT marketplace wants fewer vendors, not more.”
  2. The Internet of Things to Run Rampant: 6.4 billion connected “things” will be in use globally by the end of 2016 – up 30% from 2015 – and that number is expected to reach 20.8 billion by the year 2020.
  3. Responsible Disclosure: The upcoming year could bring about fundamental changes in how security researchers discover, prove, report and address vulnerabilities.
  4. Security Awareness to Expand to Consumers: In order to combat internal breaches, companies are providing their employees with cyber security awareness training.
  5. Data Breaches to Cause Extensive Implications: In the past, there have been significant delays in victims noticing the effects of a data breach – if at all. That is, until the hack of Ashley Madison, which highlighted the extent to which the personal and professional lives of a large group of people could be negatively impacted by a data breach.
  6. Privacy Regulations: With the ongoing debates around privacy regulation in Europe, security will undoubtedly be included in the conversation. Of particular note will be discussions around the case of Safe Harbor and how such European rulings will affect the global transfer and storage of personal data.
  7. SMBs to Invest More in Security: Cybercriminals are increasingly targeting SMBs because they’re seen as less secure, while oftentimes owning valuable customer data. Ransomware’ tops the list of company concerns for SMBs, and instances of cyber attacks targeting SMBs will continue to grow.
  8. Cloud Security to See Increased Shared Responsibility: Deploying a cloud-based IaaS, PaaS or SaaS provider can be a good business and security investment for companies with limited IT resources. However, companies must also understand that simply hosting in the cloud does not absolve them of security responsibilities.
  9. Incident Response to See Improvements: The onslaught of high-profile breaches has created a greater need for companies to respond to breaches in a timely manner.
  10. Collaboration Amongst Community to Increase: More than ever, security professionals are utilizing tools and platforms in order to better share and collaborate on security research and uncovering and responding to threats..

[Source] SEE ALSO: [DarkReading: 15 Cybersecurity Lessons We Should Have Learned From 2015, But Probably Didn’t] [Information Week: Top Data Privacy Issues to Scare You in 2016] [Wired: The Biggest Security Threats We’ll Face in 2016]  [CSO Online: Five Cybersecurity Names to Follow in 2016] [Data in 2016: 6 Changes to Expect in Security, Cloud and Mobile Tech]

Smart Cars

WW – Data Communication Modules Coming to 2017 Toyotas

Toyota announced that select 2017 model vehicles worldwide would employ “data communication modules” (DCM) that will connect the cars to “Toyota’s Big Data Center.” While the extent of the DCM’s application will vary from model to model, all cars will have, at minimum, an emergency alert reporting system that activates when the airbag is deployed. Other features are still a mystery, but Toyota did disclose that its data center will “analyze and process data collected by DCM, and use it to deploy services under high-level information security and privacy controls,” it said in a statement. [The Verge]


EU – Irish DPA Requires Transparency When Using Body Worn Cameras

The Irish Data Protection Authority released guidance on the use of body worn cameras, pursuant to the Data Protection Act. Individuals should be clearly informed of the use of body cameras, and clearly informed of all the purposes, who will have access to this information, and how long the images will be retained, mount conspicuous signage in the area in which the camera is operation, and the person operating the body worn camera should be visually identifiable (where possible/practicable, announce to the subjects of an encounter that video and audio recording is taking place using a body worn camera). [DPA Ireland – Guidance on the Use of Body Worn Cameras]

Telecom / TV

US – 2016’s Big Surveillance-Privacy Cases

It’s been 2.5 years since the first Snowden revelations were published. And in 2015, government surveillance marched on in both large (NSA) and small (the debut of open source license plate reader software) ways. Within the past year, Congress voted to end Section 215 of the Patriot Act—but then substituted it with a similar law (USA Freedom Act) that leaves the phone metadata surveillance apparatus largely in place even if the government no longer collects the data directly. Even former NSA Director Michael Hayden admitted in June 2015 that this legal change was pretty minor. We also saw some notable 2015 reforms as to how federal law enforcement uses stingrays, the invasive cell-phone surveillance devices in use by everyone from local cops all the way up to the FBI, DHS, and the IRS. The Department of Justice (the parent agency of the FBI) and DHS both announced new policies that require the agencies to get a warrant prior to deploying the snooping device. California Cops, Want To Use A Stingray? Get A Warrant, Governor Says: In October 2015, America’s most populous state implemented the California Electronic Communications Privacy Act. Among other reforms, this act imposed a warrant requirement for the state’s cops when using a cell-site simulator. Other states that already have similar laws include Washington, Virginia, Minnesota, and Utah. But perhaps 2015’s most notable surveillance happenings took place in the court room. Last year, we summarized five cases and trumpeted: “If the Supreme Court tackles the NSA in 2015, it’ll be one of these five cases.”

US Legislation

US – Key U.S. Cybersecurity Provisions Signed into Law

Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Hogan & Lovells have summarized key cybersecurity provisions. The main goal of CISA is to encourage organizations to share information with the government about the cybersecurity threats they face and to help strengthen the mechanisms via which such information is disseminated to other organizations to help them improve their cyber defenses. Despite overwhelming support in Congress and backing from many in the private and public sectors, questions remain about some provisions in CISA, including whether privacy safeguards are adequate and whether liability protections are sufficient to allay organizations’ fears of being sued based on their participation in information sharing. How these issues are resolved will help determine whether CISA will make a real difference in the way organizations share, receive, and use cybersecurity information. [IAPP Privacy Tracker]



21-31 December 2015


CA – IPC Publishes FAQ on Amendments to FIPPA and MFIPPA

Bill 8, the Public Sector and MPP Accountability and Transparency Act, 2014, will come into effect on January 1, 2016. This Bill amends the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) to include requirements for institutions to ensure the preservation of records. As a result of the amendments, heads of institutions will be required to take “reasonable measures” to preserve records in their custody or control. The amendments apply to all stages of the information life cycle and make it an offence to alter, conceal or destroy a record with the intention of denying access. As the body that oversees compliance with FIPPA and MFIPPA, the IPC strongly supports the amendments because they will bring increased transparency and accountability to Ontario public institutions. The IPC has prepared this new paper to help institutions understand their responsibilities under the recordkeeping amendments, as well as develop and implement plans to address these provisions. [Information and Privacy Commissioner /Ontario]

CA – Jennifer Stoddart Named to Order of Canada

Congratulations to Jennifer Stoddart (Officer) and Kent Roach (Member) for being named to the Order of Canada. [Globe&Mail]

CA – Canadian Companies Have Big New Ally in Fight Against Cyber Crime

Nine major Canadian companies, including the big telcos and some of the Big Five banks, along with the Canadian Council of Chief Executives are forming the Canadian Cyber Threat Exchange (“CCTX”), which will allow companies to share information among themselves, government and research institutes about cyber attacks. [Financial Post]


US – Warrantless Online Surveillance Is OK for Most: Poll

According to the new poll, 56% of Americans favor and 28% oppose the ability of the government to conduct surveillance on Internet communications without needing to get a warrant. That includes such surveillance on U.S. citizens. Majorities both of Republicans (67%) and Democrats (55%) favor government surveillance of Americans’ Internet activities to watch for suspicious activity that might be connected to terrorism. Independents are more divided, with 40% in favor and 35% opposed. Only a third of Americans under 30, but nearly two-thirds 30 and older, support warrantless surveillance. [Source]


US – 191 Million Voter Records Unprotected

A database containing personally identifiable information of 191 million voters has been discovered. The database is misconfigured, making it accessible online to anyone. The compromised information includes names, addresses, dates of birth, and voting history dating back to 2000. It has not yet been determined to whom the database belongs. [Wired] [The Hill] [CNET] [The Register] See also: [Livestream Acknowledges Breach] [Database configuration issues expose 191 million voter records: Massive database exposed to public, major political data managers deny ownership] [Massive trove of US voter data discovered on Web]


WW – Google: Bring Your Own Encryption Keys to Google Cloud Platform

Google has introduced Customer-Supplied Encryption Keys for Google Compute Engine in beta, which allow you to bring-your-own-keys to encrypt compute resources. Google Compute Engine already protects all customer data with industry-standard AES-256 bit encryption. Customer-Supplied Encryption Keys marries the hardened encryption framework built into Google’s infrastructure with encryption keys that are owned and controlled exclusively by you. You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys. Google does not retain your keys, and only holds them transiently in order to fulfill your request. [Google]

EU Developments

EU – GDPR: Orgs Must Obtain User Consent for Personal Data Processing

A law firm (FieldFisher LLC) examines forthcoming changes under the General Data Protection Regulation (“GDPR”). Organisations will have to re-engineer data collection forms, online and mobile user interfaces, privacy policies and terms and conditions to ensure explicit consent can be proven; explicit consent may not be an option where there is a significant imbalance between the individual and the organisation collecting the personal data.


WW – New Code Will Indicate When Web Content is Being Censored

The Internet Engineering Steering group has approved a new HTTP code, 451, that will let users know when pages they are trying to access are unavailable for legal reasons. The new error status code aims to help users differentiate between pages that are unavailable due to technical errors and those that are unavailable due to deliberate government action. [CNET] [The Register] [Washington Post]

Health / Medical

US – 2015: Worst Year for Healthcare Hacks is a Security Wakeup Call

Without a doubt, 2015 was the year of the healthcare megabreach and a major turning point for the sector. Some 56 major hacker attacks affecting a total of nearly 112 million individuals occurred in 2015, according to the Department of Health and Human Services. The largest of these cyberattacks hit health insurer Anthem, affecting nearly 79 million individuals, making it the biggest healthcare breach ever reported to HHS. “2015 was a blaring wake-up call to healthcare entities and their business associates that protected health information of their patients is a bullseye for fraudsters and other cybercriminals as well as nation states eager to steal IDs,” HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee says in a year-end audio blog (click here to listen). [Source] [Data Breaches In Healthcare Totaled Over 112 Million Records In 2015] [US: Few Consequences For Health Privacy Law’s Repeat Offenders]

Horror Stories

WW – Hello Kitty User Database Unprotected

A breach of has exposed the personal information of 3.3 million Hello Kitty users. The database may have been open to intruders for more than a month. The vulnerable database was found by the same person who recently discovered the unprotected MacKeeper database. [The Register] [NBC News] [Wired] See also: [Canadian data breaches in 2015: Big firms weren’t the only targets]

Identity Issues

US –TSA May Stop Accepting Certain State-Issued IDs

The US Department of Homeland Security (DHS) may soon start enforcing the Real ID Act, which requires states to comply with certain federal security standards when issuing identification cards. People from states with non-compliant systems may find themselves unable to board planes or enter federal buildings with their ID cards. Some of the states are not compliant due to active opposition to the law due to privacy concerns or prohibitive costs. [NYTimes] [ArsTechnica] []

US – One State Has Started Putting Drivers’ Licenses on Smartphones

The Iowa Department of Transportation spent $40,000 on a pilot program to outfit 15 state employees with a “mobile driver’s license,” or mDL. This iOS app displays a virtual license with a rotatable image of the driver’s head after users take a selfie that is verified against their license photo on file. The mDL program is the result of public interest in the technology, which could be offered to more Iowans this year. Caller IDSome proposed benefits seem obvious: Instant updates to addresses and driving records will shorten lines at the DMV, and eliminating physical licenses saves the state production costs. Also, merchants and financial institutions see it as a means of combating fraud. The driver’s license is already the de facto standard for proving identity, so it follows that cash-strapped states would seek to monetize this service. A system in which businesses would use a license-reader app to verify a credit-card customer’s identity might net the state a small transaction fee. Bars and restaurants could similarly deploy apps for age verification. This could also increase privacy for consumers, who would no -longer need to expose personal information printed on a physical license, choosing to share only their photo and proof of legal drinking age. [Source]

Internet / WWW

WW – Video Game Companies Collecting Massive Amounts of Personal Data

Haven’t read the “terms and conditions” on that video game system you got for the holidays? You may want to take a look. With more and more video game companies collecting ever greater amounts of data about their customers, privacy advocates are starting to warn about risks to gamers’ personal privacy — as well as the dangers in normalizing surveillance. [Source]

WW – Privacy-as-a-Service Scatters Data in Disappearing Clouds

When attackers breach through layers of encryption and firewalls, one good way to keep cloud-based data safe is to keep it scattered, in constant motion. Dispel, a start-up focusing on enterprise-grade digital privacy for small to midsize businesses (SMBs) and individuals, offers digital privacy rooted in ephemeral cloud infrastructure. []


Online Privacy

WW – Spanish Cybersecurity Agency Outlines Web Tracking Techniques

The Spanish National Institute of Cybersecurity (“INCIBE”) issues an overview of techniques used for web tracking of internet users. Techniques include digital fingerprints (from browsers, software, hardware, networks and geolocation), header injections, preferences and patterns of behavior and client-side identifiers (cookies, caches, session identifiers and super cookies). [INCIBE – Web Tracking of Internet Users]

WW – Facebook and Twitter’s User Privacy Efforts Crushed by New Government Legislation

Facebook and Twitter’s attempts to champion user privacy are being undermined by the intelligence community and UK government following new proposals to jail employees who tip off users that their data has been requested. Under the new offense employees of any communication service provider can be jailed for up to two years for informing a user that security services or law enforcement authorities has requested their data. The move hampers ongoing attempts by Facebook, Twitter and several other social network and technology companies to assure members that their information is secure and that they will be told if any government agency is monitoring them. [] See also: [Twitter Revises Policy Banning Threats and Abuse]

WW – Twitter Reverses Stance on Archiving Politicians’ Deleted Tweets

Twitter reached an agreement with two transparency-focused organizations, Sunlight Foundation and the Open State Foundation, that will allow them to resume publishing the deleted tweets of politicians and government officials in the new year. In August, Twitter cut off access to Politwoops, a Sunlight Foundation initiative that published elected officials’ deleted tweets. The technology company said Politwoops violated its developer agreement, which mandates that services with access to Twitter’s servers must not display tweets that users have deleted. [Source] See also: [Twitter vows to wage war on internet trolls]

Other Jurisdictions

CN – China Passes Counterterrorism Law

China’s parliament has passed an anti-terrorism law that requires companies doing business in that country to “provide technical support and assistance, including decryption, to police and national security authorities in prevention and investigation of terrorist activities.” The law is a step back from an earlier draft, which would have required companies to provide the Chinese government with encryption codes. Telecoms and ISPs must verify customer identities, implement information content monitoring systems and provide decryption and other technical support to security bodies conducting anti-terrorism investigations; penalties for failure to comply with these requirements range from CNY 100,000-500,000 (approximately USD 15,500-77,122). [Slate] [Counter-Terrorism Law of the People’s Republic of China] [China counterterrorism law: US cyber privacy advocates express concern] [China’s New Big Brother Law Is A Clone Of The West’s Bad Ideas]

Privacy (US)

US – Technology Will Create New Models for Privacy Regulation: Lessig

In a new interview, Harvard law professor Lawrence Lessig shared his view of the future of privacy in this age of data breaches. “The average cost per user of a data breach is now $240 think of businesses looking at that cost and saying, ‘What if I can find a way to not hold that data, but the value of that data?’ When we do that, our concept of privacy will be different. [WSJ] SEE ALSO: [The Year in Tech Law and Digital Brouhaha, from A to Z: The deals, bills and court cases that garnered headlines in 2015] SEE ALSO [2015 was a tipping point for six technologies that will change the world]

Privacy Enhancing Technologies (PETs)

WW – Microsoft Will Ban Man-in-the-Middle Ad Injection Software

Microsoft will block ad injection software that makes use of man-in-the-middle (MiTM) techniques. The company says it aims “to keep the user in control of their browsing experience.” Microsoft will begin enforcing the changes on March 31, 2016. [ZDNet] [TechNet] See also: [Top Ten Privacy Websites]


WW – 2015 Cybersecurity Market is $75B; Expected to Reach $170B by 2020

Fasten your seat belts. 2016 promises to be a big year for the cybersecurity industry. Following up on October’s report, The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics. Part II recaps cybersecurity spending in 2015 and projects market growth over the next five years. Worldwide spending on information security will reach $75 billion for 2015, an increase of 4.7% over 2014, according to the latest forecast from Gartner, Inc. The global cybersecurity market is expected to be worth $170 billion by 2020. The cyber security market is estimated to grow at a compound annual growth rate (CAGR) of 9.8% from 2015 to 2020. According to IDC, the hot areas for growth are security analytics / SIEM (10%); threat intelligence (10% +); mobile security (18​%); and cloud security (50%). The global managed security services market is projected to reach nearly $30 billion by 2020, with a CAGR of 15.8% over the next five years. The global enterprise governance, risk and compliance (GRC) market is expected to grow from $5.8 billion in 2014 to $11.5 billion by 2019, at a CAGR of 14.6% for the period 2014 to 2019. A new cybercrime wave is driving IoT spending, and the Internet of Things (IoT) security market is expected to grow from $6.89 billion in 2015 to nearly $29 billion by 2020. The global IoT security market to grow at a CAGR of nearly 55% over the period 2014-2019. [Forbes]

WW – The Top 16 Security Predictions for 2016

GovTech examined hundreds of expert forecasts for 2016 and beyond, with cyber trends and predicted technology events from top companies, it is hard to be optimistic about our online situation. And yet, the combined predictions tell us an important story about online life. So where is cyberspace heading? What surprises await us? Here’s your annual one-stop roundup of what security experts are telling us will happen next:

1)   Symantec: Symantec leads with attacks on the Internet of Things (IoT) and Apple iOS attacks growing dramatically. An impressive Symantec list of 2016 security predictions overall.

2)   Last December, Raytheon/Websense successfully predicted 2015 health-care concerns in their security predictions overview. This year, Raytheon/Websense leads with predictions about attacker trends (increased abuse of newly created infrastructure), end-user behavior in a post-privacy society and evolving business behaviors as a result of cyberattacks and data breaches — including a surge in cyber insurance.

3)   McAfee (Intel Security): McAfee Labs offer a five-year cybersecurity look ahead in infographic form. They predict a growing attack surface, difficult-to-detect cyberattacks, new device types and much more. They also cover growth in “integrity attacks” where hackers change the data to do harm.

4)   FireEye: FireEye offers a free prediction report on their 2016 webcast which leads with security concerns with Apple devices in 2016 as well as IoT security problems. More sophisticated forms of ransomware attacks. Also, there will be “Increased Attacks on Industrial Control Systems.”

5)   Trend Micro: Trend Micro leads with “2016 will be the year of online extortion.” Second, “At least one consumer-grade smart device failure will be lethal in 2016.” Trend Micro’s presentation of their 2016 security predictions gets them top honors for the best online graphics, clearest presentation, and easiest-to-understand security prediction summary.

6)   Kaspersky: The Kaspersky blog offers a nice narrative of various cyber trends that could lead to major events in 2016, including: “Blackmailing and squeezing money for stolen photos and hacked accounts.” Also car hacks will grow: Culprits probably won’t focus on the systems themselves, but rather on the special protocols, which are implemented to enable communications between cars.

7)   Sophos: Sophos offers their 2016 cybersecurity threat predictions. Like others, they lead with mobile threats rising, IoT platform vulnerabilities and small and medium-size businesses (SMBs) seeing more attacks.

8)   Alert Logic: Alert Logic offers some optimistic 2016 predictions about the cloud — such as: “2016 will be the first year people choose cloud because of the security benefits.” This sets them apart and puts them in the top group.

9)   Network World: Network World’s Jon Oltsik again offers this list, a bit different from other predictions. Leading his 2016 prediction list were: “Greater focus on cyber supply chain security, and the consumerization of authentication.” He also predicted that cyber insurance is set to boom (with others who predicted this).

10) IDC: IDC offers many technology predictions for the CIO Agenda, with #6 By 2016, 70% of IT organizations will shift their focus to advanced ‘contain and control’ security and away from a perimeter mentality. “It’s time for organizations to reframe their security from the old, reactive threat-oriented model to an advanced, proactive, predictive, and integrity-oriented approach,” says Mike Rosen, vice president of research with IDC’s IT Executive Programs (IEP).

11) IBM: IBM offers several intriguing 2016 security predictions. A few include:

  • (More) companies and governments to use block-chain encryption.
  • Cyber intelligence as a service is coming.
  • Vulnerability curators will become prevalent.
  • More data breaches will lead to spikes in cyber-spending.
  • Financial orgs create own fusion centers — leave managed security services.

12) Computer Science Corp. (CSC): CSC’s chief technology officer offers technology trends to watch. Some predictions are on security such as: “As context increases, cybertargets increase.” That is, as data becomes more contextually rich, it becomes more valuable to the enterprise — and to cybercriminals as well.

13) Business Insider offers: “How vulnerable IoT devices are changing the cybersecurity landscape.” This is a deeper look at vulnerable IoT systems:

– Research has repeatedly shown that many IoT device manufacturers and service providers are failing to implement common security measures in their products.

– Hackers could exploit these new devices to conduct data breaches, corporate or government espionage, and damage critical infrastructure like electrical grids.

– Investment in securing IoT devices will increase five-fold over the next five years as adoption of these devices picks up.

14) Forbes Magazine Online: Forbes leads their security prediction list for 2016 with the “leadership over luck theme.” Here’s an excerpt: “Unfortunately in most respects, 2016 won’t change much: users will still click on malicious links; IT will still be bad at patching; the bad guys will still attack; and the tide of misery from breaches will continue. What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is to lead your organization to high ground based on a well-considered, security-first strategy. …

15) LogRhythm offers 10 interesting predictions such as: “An uptick in all-in-one home surveillance systems.” We are seeing more motion sensing/camera/recording devices in the home that can be managed through personal devices. This type of technology will continue to expand, and with this expansion, hackers will try to exploit them or cause chaos. Also: A rise in the use of mobile wallet apps. Like having virtual money and an ID in one’s pocket, mobile wallet apps are at the intersection of marketing and payments. And although a mobile wallet is convenient, it is directly tied to one’s mobile phone, which is a critical access vector for cyber threats.

16) Imperva: Imperva has some fascinating and big predictions worth reading, including contractors getting more scrutiny in “Cyber Pat Downs.”

Source: [GovTech] See also: [The weird and wacky of 2015: strange security and privacy stories]

WW – Oracle Reaches Settlement with FTC Over Java SE Security

Oracle, one of the nation’s largest tech companies, is settling federal charges that it misled consumers about the security of its software, which is installed on roughly 850 million computers around the world. The company won’t be paying a fine, and it isn’t admitting to any wrongdoing or fault in its settlement with the FTC. But Oracle will be required to tell consumers explicitly if they have outdated, insecure copies of the software — and to help them remove it. The software, known as Java SE, helps power many of the features consumers expect to see when they browse the Web, from browser-based games to online chatrooms. But security experts say Java is notoriously vulnerable to attack. It has been linked to a staggering array of security flaws that can enable hackers to steal personal information from users, including the login information for people’s financial accounts, the FTC said. [Washington Post]


US – Gov’t Warrantless Collection of Communications is Constitutionally Valid

Jamshid Muhtorov (“Defendant”) moves to dismiss evidence the United States of America (“Plaintiff”) allegedly illegally collected under the FISA Amendments Act of 2008 (“FAA”). In the context of national security, a warrantless search and seizure of electronic communications under the FISA Amendments Act (“FAA”) was reasonable since privacy expectations are diminished as an individual puts more information out into the ether of the global telecommunications network (the controls provided in FISA balance the government’s use of FAA-acquired communications against the individual’s privacy interests). [United States of America v Jamshid Muhtorov and Bakhtiyor Jumaev – Criminal Case No 12-CR-00033-JLK – USDC for the District of Colorado]

EU – Dutch DPA: WiFi Tracking in Stores Conflicts with Data Protection Law

The data protection authority in the Netherlands (“DPA”) investigated Bluetrace, a technology company, for collection of tracking and location data of shoppers and passersby. Measurement data was collected from individuals in shopping malls (mac addresses of mobile phones, signal strength of WiFi, serial number of sensor and timing); data was collected 24 hours a day, 7 days a week and kept indefinitely, individuals could be identified using a combination of the data, and shoppers were not informed about collection. [DPA Netherlands – WiFi Tracking Around Stores in Conflict with the Law]

UK – Hyde Park Visitors Covertly Tracked Via Mobile Phone Data

Visitors to Hyde Park, one of London’s most famous tourist spots, were covertly tracked via their mobile phone signals in a trial undertaken by the Royal Parks to analyse footfall amid drastic funding cuts. Officials were able to retrospectively locate park-goers for 12 months using anonymised mobile phone data provided by the network operator EE via a third party. Aggregated age and gender data was also made available during the initiative. If a zone of the park contained more than 50 people at once, it was possible to “drill down” to the aggregated demographic data of visitors to that area too, creating a detailed picture of how different people used the park in previous months. [The Guardian]


US – California’s DMV Puts the Brakes on Self-Driving Cars

The California DMV released its draft guidelines for the deployment of some autonomous vehicles, offering an early window into how regulators will address safety and privacy concerns surrounding the emerging technology. But officials excluded fully self-driving vehicles from their proposal, citing safety concerns. The current draft rules appear to be a barrier to companies interested in offering fleets of fully autonomous vehicles as a ride service in the state. “We’re gravely disappointed that California is already writing a ceiling on the potential for fully self-driving cars,” Google said in a statement. “Safety is our highest priority and primary motivator as we do this.” [Washington Post]

US – Astronaut Tim Peake Calls Wrong Number from Space Station

UK astronaut Tim Peake has apologised for dialing a wrong number from space and saying to a woman on the other end of the line: “Hello, is this planet Earth?” Mr Peake said on Twitter it was not intended to be a “prank call”. [BBC]

US Government Programs

US – Law Student Sues to Overturn New TSA Full-Body Scan Policy

A law student in Miami has asked a federal appeals court to overturn a new Transportation Security Administration policy that could require travelers to use full-body scanners at airport checkpoints even if they opt for a pat-down search. [USA Today]

US – FAA Issues Final Rule for Drone Registration and Marking Requirements

The Federal Aviation Administration (“FAA”) amends Title 14 of the Code of Federal Regulations to implement registration and marking requirements for small unmanned aircraft (“drones”). The interim final rule implements a web-based aircraft registration process for owners of small drones; registrants will receive their Certificate of Aircraft Registration/Proof of Ownership, valid for 3 years, that will include a unique identification number that must be marked on the drone. The normal registration fee is $5, but in an effort to encourage registration, the FAA is waiving this fee for the first 30 days (from December 21, 2015 to January 20, 2016). Comments on this interim final rule are due by January 15, 2016. [FAA – 14 CFR Parts 1_45_47_48_91 and 375 – Interim Final Rule – Registration and Marking Requirements for Small Unmanned Aircraft] [Press Release] [Politico: Drone privacy push could stall out] See also: [FAA drone ban extended 30 miles beyond DC] [The FAA’s rules are clashing with established and more developed rules: NYT] [Here’s how to register your drone with the government] AND [CA – OPP Issues Message for Drone Users]

US Legislation

US – Amendments to GLBA Provides Exemptions to Notice Requirements

Financial Institutions will no longer be required to provide customers with an annual privacy notice provided they meet 2 conditions – they provide non-public personal information (“PI”) about customers to non-affiliated third parties only pursuant to GLBA exceptions permitting such disclosure, and they have not changed its policies and practices relating to disclosure of nonpublic PI from those disclosed in its most recent GLBA privacy notice. H.R. 22, Fixing America’s Surface Transportation Act (“FAST Act”) amends the Gramm-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”): The Bill was signed by President Obama on December 4, 2015. [Congress Close to Approving Limited GLBA Regulatory Relief – Nathan D Taylor, Partner, Morrison Foerster, LLP]

Workplace Privacy

EU – French Supreme Court Ruled Supervisor Unlawfully Uploaded Employee Personal Data to Intranet Site

An employee’s supervisor’s negligence and system error lead to the unlawful disclosure of an employee’s performance review (the review was posted on the company intranet site rather than the supervisor’s secretary’s inbox) without authorisation from the employee, in contravention of the Personal Data Protection Act. [Laurent X v Francois-Gilles Y – Supreme Court of France – Case No 13-85587]

WW – The Open-Office Trend is Destroying the Workplace

New open floor plans are ideal for maximizing a company’s space while minimizing costs. Bosses love the ability to keep a closer eye on their employees, ensuring clandestine porn-watching, constant social media-browsing and unlimited personal cellphone use isn’t occupying billing hours. But employers are getting a false sense of improved productivity. A 2013 study found that many workers in open offices are frustrated by distractions that lead to poorer work performance. Nearly half of the surveyed workers in open offices said the lack of sound privacy was a significant problem for them and more than 30% complained about the lack of visual privacy. Meanwhile, “ease of interaction” with colleagues — the problem that open offices profess to fix – was cited as a problem by fewer than 10% of workers in any type of office setting. In fact, those with private offices were least likely to identify their ability to communicate with colleagues as an issue. In a previous study, researchers concluded that “the loss of productivity due to noise distraction … was doubled in open-plan offices compared to private offices.” The New Yorker, in a review of research on this nouveau workplace design, determined that the benefits in building camaraderie simply mask the negative effects on work performance. While employees feel like they’re part of a laid-back, innovative enterprise, the environment ultimately damages workers’ attention spans, productivity, creative thinking, and satisfaction. [Washington Post]




14-20 December 2015


CA – OPC Warns of ‘Sea Change’ in Privacy Rights in Canada

Federal Privacy Commissioner Daniel Therrien issued his 2014-2015 Annual Report on the Privacy Act, titled “Protecting Personal Information and Public Trust”. In his annual report, Therrien looked at three pieces of legislation that “taken together, these initiatives have resulted in what can only be described as a sea change for privacy rights in Canada.” The first, C-44, allows Canadian spies to operate abroad and gives them more ability to obtain information without disclosing its origins; C-13, which creates new legal authority for cops and public servants to obtain Canadians’ personal data without a warrant; and C-51, the anti-terrorism legislation that opens the door for wide new intelligence-gathering and sharing. The Liberals have said they will change aspects of C-51, but have said little about the other two pieces of legislation. [Vice] [Privacy czar sees middle ground in fight over access to Internet customer info] See also: [No to surveillance: Unions push Liberals to repeal Bill C-51] [Federal government needs to do more to guard against breaches and privacy violations] [Record high number of federal data breaches, says Canada’s privacy commissioner ] [Federal departments reported 256 data breaches in 2014-15] [Privacy watchdog urges Liberals to open ‘exhaustive debate’ on Bill C-51] [Privacy czar urges ‘open debate’ as Trudeau government rethinks terror law]

CA – Supreme Court to Weigh in on the Solicitor-Client Privilege Dispute Between Courts, Privacy Commissioners

As outlined in the April 2015 Blakes Bulletin: Privilege Rules: Solicitor-Client Privilege Held Sacrosanct by Alberta Court of Appeal, the Supreme Court of Canada (SCC) has granted leave to appeal (on October 29, 2015) the Alberta Court of Appeal’s decision in University of Calgary v. JR, where the Alberta Court of Appeal held that Alberta’s Office of the Information and Privacy Commissioner (OIPC) does not have the statutory authority under the Freedom of Information and Protection of Privacy Act (FOIPPA) to order a public body to produce records over which it has asserted solicitor-client privilege. [Blake, Cassels & Graydon LLP,] See also: [Making Private Information Public: The Continued Expansion of Privacy Class Action Liability] [Canadian Businesses Increasingly Face Privacy Breach Class Actions Absent Traditional Forms of Damages]

CA – Nova Scotia Cyberbullying Law Declared Unconstitutional

The Supreme Court of Nova Scotia has declared the province’s cyberbullying law to be unconstitutional, from start to finish. It was passed unanimously by the Nova Scotia legislature in the immediate aftermath of the death of Rehtaeh Parsons. The government of the day – which was heading for an election – was not willing to throw the police and the prosecution service under the bus for no charges being laid, so instead created the appearance of doing something by creating and passing a very poorly executed law. In the process, they trampled on the Charter rights of all Nova Scotians and created a distraction from the important discussion about sexual assault and consent. [Privacy Lawyer] See also: [The “New York Times Magazine” has a good story about swatting, centering around a Canadian teenager who did it over a hundred times]


WW – People are Info-Egoists When It Comes to their Privacy: Study

People are much more concerned about sharing their own private information with third-party app developers than they are about revealing their friends’ data, according to Penn State researchers. However, as social media makes data increasingly interconnected, preserving one’s own privacy while ignoring the privacy rights of others may make everybody’s data more vulnerable. “The problem is becoming known as interdependent privacy. The privacy of individual consumers does not only depend on their own decisions, but is also affected by the actions of others.” [] Se also: [ComputerWeekly: UK BCS Launches Consultation on Personal Data Exploitation]


CA – B.C. Government Must Strengthen Records Management, Says Report

A report into records mismanagement by the B.C. government has made several sweeping recommendations in advance of legislation that will come into effect next year. In October, B.C. privacy commissioner Elizabeth Denham published a report finding that the provincial government inappropriately deleted emails. The government then appointed former B.C. privacy commissioner David Loukidelis to produce a follow-up report providing detailed recommendations on how it should manage records and handle freedom of information requests. The report was tabled on December 16th. Loukidelis called for reforms within the Ministry’s Information Access Operations (IAO), which is a central body within the B.C. government that processes freedom of information requests to its ministries. This body took over the processing of requests when the government shifted to a centralized model in 2009. In particular, the IAO should be on the lookout for situations where the government cannot meet the standard expected of it, the report suggested. [IT World Canada] [Times Colonist: Make Openness the First Default: Premier Clark said the government accepts all the recommendations]

US – Retailers Improve Unsubscribe Practices, Allowing Consumers to Opt Out

The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust, revealed today results of its second annual OTA Email Unsubscribe Audit, analyzing which leading e-commerce sites are enabling consumers to easily opt out of email. OTA reported that 75% of the top 200 online retailers (according to the Internet Retailer Top 500 list) have moved beyond basic compliance, demonstrating a commitment to user empowerment and control of their inboxes. These companies have been named to the 2015 Unsubscribe Honor Roll, recognizing excellence in marketing practices. Companies achieved this distinction by scoring 80% or higher on a weighted blend of 12 best practice criteria related to the unsubscribe process and results. Merchants also improved significantly in their honoring of unsubscribe requests. In 2014, 10% of those audited failed to honor unsubscribe requests, while in 2015 the failure rate was less than 2%. Download The Report


EU – Paris Terrorists Used No Encryption at All

In the wake of the Paris attack, intelligence officials and sympathizers upset by the Edward Snowden leaks and the spread of encrypted communications have tried to blame Snowden for the terrorists’ ability to keep their plans secret from law enforcement. Yet news emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted. [The Intercept] [TechDirt] [ArsTechnica] SEE ALSO: [Paris attacks blamed on strong cryptography and Edward Snowden] and also: [FBI head: Social media becoming weapon for terrorists [and new word on the San Bernardino shooters] and [Apple CEO defends privacy, encryption amidst terrorist concerns] [Rolling Stone Magazine: Edward Snowden: Clinton’s Call for a ‘Manhattan-Like Project’ Is Terrifying]

EU Developments

EU – EU Officials Reach Agreement on Text of New Privacy Law

After nearly four years of haggling and lobbying, negotiators agreed on a final text of the EU-wide bill, which will replace a patchwork of 28 different sets of national privacy laws, and boost the bloc’s paltry privacy penalties to potentially billions of euros, EU officials said. Under the agreed text, fines would rise to a maximum of 4% of a company’s world-wide revenue. The text, which must be definitively approved by the European Parliament and EU governments before going into effect in two years’ time, is expected to tighten rules for getting online consent and create new responsibilities for cloud-services companies. It is also expected to tightly restrict how analytics and advertising companies can re-use data harvested from individuals, for example after they purchased a product or signed up for a service. The agreement on the law kicks off a new phase of fighting between regulators and companies over how to best tackle the vast amount of personal information that individuals generate when they do anything from visiting a website to walking past a Wi-Fi hot spot. [Wall Street Journal] [Council of the European Union – Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) – Final Text | Press Release] [EU Data Protection Deal Confirmed: Overview, Next Steps] See also: [The Transatlantic Data War: Europe Fights Back Against the NSA ]

EU – Article 29 Working Party Calls for EU Police Directive to Prohibit Mass Data Transfers to Third Countries

The Article 29 Data Protecting Working Party (the “Working Party”) issued its opinion on the EU Police Directive. Massive, repeated and structured transfers of personal data to third countries authorities should be prohibited; exceptions should be justified and limited to what is strictly necessary. There should be a general obligation to notify a data breach to the DPA, and notification to data subjects should be distinguished by their categorization (e.g. victims, witnesses, etc.) [Opinion 03/2015 on the draft directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data – Working Paper 233]

UK – Committee Seeks Input on Draft Investigatory Powers Bill

The Joint Committee on the Draft Investigatory Powers Bill was appointed by the two Houses of Parliament in the UK to explore key issues raised by the proposed legislation. The committee sought input from “interested individuals and organisations.” Written evidence will be accepted through December 21, 2015. [BCS] [UK Parliament] [Police could hack any device, even toys, under UK surveillance draft bill] [Written Evidence Regarding Investigatory Powers Bill – Andrews & Arnold Ltd and FireBrick Ltd: Investigatory Powers Bill Overstates Usefulness of Internet Connection Records]

Facts & Stats

US – More Than 11 Million Victims of Healthcare Breaches in 2015

The U.S. Department of Health and Human Services found that 55 healthcare organizations were the victims of breaches and hacks in 2015, with a total of 11,802,842 affected individuals. “The sheer amount of victims shows that the healthcare industry needs to step up its security game,” the report states. “If the healthcare industry doesn’t want to become the first one to have the dubious distinction of having a fatal victim, and doesn’t want to keep losing private data, it better start taking security seriously. The numbers don’t lie,” it continues. [Motherboard] See also: [University Pays $750,000 Penalty for Security Breach and Failure to Conduct Risk Assessment of e-PHI: HHS – Resolution Agreement – University of Washington] [Modern Healthcare]


EU – Germany: Web Giants Pledge to Delete Hate Speech in 24 Hours

Facebook, Google and Twitter have agreed to delete hate speech deemed illegal in Germany within 24 hours. The move follows pressure from German authorities concerned about the increasing volume of racist abuse being posted on social networking sites. [AP] [German Supreme Court rules in favor of blocking websites]

CN – China Seeks Internet Regulation; Activists Warn of Threat to Speech

Chinese President Xi Jinping called for governments to cooperate in regulating Internet use, stepping up efforts to promote controls that activists complain stifle free expression. Xi’s government operates extensive Internet monitoring and censorship and has tightened controls since he came to power in 2013. [USNews] See also: [The Star: China Prepares to Rank Its Citizens — One By One]

Health / Medical

EU – Digital Health Plans Will Give Patients Online Access and Control Over Medical Records

NHS patients in Wales will be able to access their medical records online, supplement that information and share it with others under plans announced by the Welsh government. The Welsh government said people in Wales will “routinely use digital apps, wearable devices and other online resources to be well-informed and active participants in their care” under its plans. They will also be able to book appointments and order repeat prescriptions via online systems as well as “use the internet, email and video conferencing to connect with clinicians and care professionals in a way that suits them”. The Welsh government said that technology would also be used to ensure patients receive digital prompts, such as reminders about forthcoming appointments or to take medication or exercise. [Source] See also: [The price of wearable craze: Personal health data hacks: Your personal health information is about 10 times more valuable than a stolen credit card number on the black market]

US – Non-Healthcare Companies Have Exposed PHI in Breaches: Study

According to a study from Verizon, nearly 20% of breaches involving healthcare information are not detected for at least one year. This is due in part to the fact that some organizations outside the healthcare sector are unaware that they have healthcare data stored in their systems. 20% of healthcare breaches of health records involved privilege abuse. [Dark Reading] [The Register]

WW – Healthcare Pros Lack Confidence in Sharing Anonymized Data: Study

A Privacy Analytics and Electronic Health Information Laboratory survey of 271 healthcare professionals found that many organizations that share health data for “secondary purposes” are unsure that the data they are sharing is adequately anonymized, yet 56% are still planning to increase their 2016 sharing, Health Data Management reports. “The question is what is acceptable risk and how do you manage it,” said Privacy Analytics CEO Khaled El Emam. “We’ve seen some very large and complex data sets. And, to de-identify that, you really need some sophisticated techniques. There are good practices for de-identification and there are poor practices for de-identification,” he continued. [Health Data Manaagement] See also: Also See: New Guidance, Processes for De-Identifying Healthcare Data]

Horror Stories

WW – MacKeeper Exposes Personal Data of 13 Million Users

The company that makes MacKeeper has acknowledged a breach that exposed usernames, passwords, and other data for 13 million customers. Someone found the data while “searching for database servers that require no authentication and are open to external connections.” That person notified MacKeeper maker Kromtech; the company quickly blocked public access to the databases. [Krebs] [CNET]

Identity Issues

WW – Community Support FYI: Improving the Names Process on Facebook

Facebook will begin to test new tools that address two key goals. First, they want to reduce the number of people who are asked to verify their name on Facebook when they are already using the name people know them by. Second, they want to make it easier for people to confirm their name if necessary. These tools have been built based on many conversations with community leaders and safety organizations around the world. [Source]

Law Enforcement

CA – The Cellphone Spyware the Police Don’t Want to Acknowledge

The RCMP and the OPP have both declined to tell the Star if they use International Mobile Subscriber Identity (IMSI) catchers – also known as “stingrays” – because they say giving out that information could interfere with their investigations. Stingrays electronically mimic cellphone towers, and trick cellphones within their range into connecting to them. Once a phone makes the connection, the stingray can grab data from it – including phone numbers, texts, phone calls and websites visited – in real time. Ontario Privacy Commissioner Brian Beamish said the technology, which has a range of several kilometres, casts a wide net that doesn’t distinguish between suspects in criminal cases and ordinary citizens. “It’s potentially so intrusive in terms of the amount of information it can gather, not only about a target but about other people as well, people that aren’t under suspicion,” Beamish said. [Source]

Privacy (US)

US – Congress Passes the Cybersecurity Act of 2015

The Cybersecurity Act of 2015 (the “Act”) was passed by Congress this week as part of the 2016 omnibus spending package. The Act is very similar to the Cybersecurity Information Sharing Act (“CISA,” S. 754), which passed the Senate on October 27 and was the subject of a previous analysis, although there are some important differences which we highlight below. If enacted into law by the President as part of the spending package, the Act would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government, state governments, and private entities. [Overview at Inside Privacy]


US – NIST Outlines Methods for Protecting Data from Cyber Attacks

The threat of ransomware is one of three example scenarios highlighted in a recent white paper released by the National Institute of Standards and Technology (NIST), titled Data Integrity: Reducing the Impact of an Attack. The paper launches a joint project led by the National Cybersecurity Center of Excellence (NCCoE), with participation by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and several private sector organizations. [HLDA]

US – False Sense of Confidence Over Data Security: Report

Overall, the report finds that many retailers have a false sense of confidence when it comes to protecting their organization’s – and consumer – sensitive data. A majority of retailers indicated they believe they are doing a good job with IT security efforts, but the study shows “gaping holes in their security programs such as sharing login credentials among multiple employees and not knowing if sensitive data is being leaked. [Source]


EU – Few Time Limits on Deployments of CCTV Systems: Study

Video surveillance, first introduced in France, Italy and the UK by private sector, is heavily used by law enforcement for security purposes; there are few limits in regards to how long such systems may be deployed – 5 years in France (and renewable for 4-month periods if there is a risk of terrorism), and no time limit in Italy or the UK. [The Use of Surveillance Technologies for the Prevention Investigation and Prosecution of Serious Crime – Céline C. Cocq and Francesca Galli, European University Institute]

UK – UK Spy Agency Admits Hacking Phones and Computers Without Warrants

GCHQ admitted for the first time in court that it engages in computer hacking. Previously it had refused to confirm or deny whether it had such capabilities. In 2013, 20% of GCHQ intelligence reports were based on information from hacking, the tribunal heard. That proportion is likely to have increased since then, as the use of encryption has made it more difficult to listen in on communications. Ben Jaffey, counsel for Privacy International, told the IPT, “GCHQ undertakes ‘persistent’ CNE operations where an implant ‘resides’ in a targeted computer for an extended period to transmit information or ‘non-persistent operations’ where an implant expires at the end of a user’s internet session.” [Source]

US – Make Sure Santa Registers Your Drone, FAA Warns

The Federal Aviation Administration (FAA) announced that new drones must be properly registered with a registration number visibly marked before they take to the skies. “Registration provides us with an opportunity to educate unmanned aircraft users about how to operate safely,” said FAA Deputy Administrator Michael Whitaker. “It will also create accountability, so when a drone is located that has been flying improperly we’ll be able to locate the owner,” he said. “There’s nothing that would require an enforcement action if we just get someone to do what they’re supposed to do.” [Washington Post] See also: [I Read the FAA’s 211 Page Drone Registration Regulation So You Don’t Have to] and [Privacy Nightmare: Own a Drone? FAA Wants Your Credit Card Number] and [FAA Finally Admits Names and Home Addresses In Drone Registry Will Be Publicly Available]

Telecom / TV

CA – CRTC Executes First Inspection Warrant for Suspected Violations of the Unsolicited Telecommunications Rules

The CRTC has executed its first warrant in relation to a telemarketing investigation, which allows it to enter and inspect a property in Ontario; the company is alleged to be making unauthorized calls to Canadians for the purpose of selling anti-virus software to numbers registered on the National Do Not Call List. [Canadian Radio-television and Telecommunications Commission – CRTC Executes First Inspection Warrant as Part of Telemarketing Investigation]

US Government Programs

WW – ISIS Releases PII of Government Officials; DHS Screening Scrutinized

Supporters of the Islamic State (ISIS) have allegedly released the personal information of several U.S. and French officials, CSM Passcode reports. Though not yet verified by the U.S. government, Twitter accounts tied to ISIS released the home addresses of some ex-State Department and CIA officials, as well as names and emails tied to officials from the French Ministry of Defense. Meanwhile, the State Department said, “obviously things went wrong” in the visa background checks of suspected San Bernardino shooter, Tashfeen Malik. At issue is a secret policy of the Department of Homeland Security that prevents officials from checking applicants’ social media postings as part of the screening process. According to the report, Obama administration officials had implemented the program out of fear of a civil liberties backlash. [CS Monitor]

US Legislation

US – CISA Buried in Omnibus Bill

A version of the Cybersecurity Information Sharing Act (CISA) with most privacy protections eliminated has been incorporated into the omnibus bill, which is likely to pass as the bill comprises a large portion of funding for the federal government. As currently amended, CISA no longer requires companies to anonymize data they turn over to the government, and it broadens the scope of purposes for which the government may use the data. [WIRED] [The Register] [TechDirt] See also: [Congress Adds ‘CISA’ To ‘Omnibus’ Budget Bill, Up To President Obama To Veto] [Ryan Urged to Leave Cyber Threat Sharing Bill Out of Omnibus] [OmniCISA Pits DHS Against the FCC and FTC on User Privacy] [Government privacy watchdog set to lose power to examine covert action]

US – “Do Not Track” Bill Lets Consumers Just Say No to Online Tracking

Sens. Richard Blumenthal (CT) and Ed Markey (MA) introduced the Do Not Track Online Act of 2015 [PDF], which would direct the FTC to create new regulations “regarding the collection and use of personal information obtained by tracking the online activity of an individual.” If the bill passes, the FTC would have a year to establish standards for implementing a simple and easy-to-use Do Not Track mechanism for consumers to indicate that their personal information should not be collected while surfing the web. The FTC would also create a rule prohibiting providers from collecting the personal information of individuals who have used the Do Not Track mechanism. [Source]




06-13 December 2015

Big Data

WW – No, “Big Data” Can’t Predict the Future

The Bing teams are learning a lesson only Austrians and, more specifically, Misesian praxeologists, seem to be alone in grasping: that there are no constants in human action, and therefore that predictions of social phenomena are impossible. Pattern predictions, as Hayek called them, may not be impossible, but predictions of exact magnitudes are. For instance, we can rely on economic law (such as “demand curves slope downward”) to estimate an outcome such as “the price will be lower than it otherwise would have been,” but we can’t say exactly what that price will be. [Source]

HK – Hong Kong DPA Requires Data Subject Consent and DPA Authorization When Using Matching Procedures

The Privacy Commissioner for Personal Data (“PCPD”) issues guidance on matching procedures. Matching procedures cannot be carried out unless consent has been received from data subjects (voluntary express consent) and authorisation has been obtained from the DPA; the personal data collected for the procedure cannot be used for a new purpose (directly related or any other purpose) unless data subjects have given express consent. [PCPD Hong Kong – Information Leaflet – Matching Procedure – Some Common Questions]


CA – OPC Tables 2014-2015 Annual Report on Privacy Act

The Office of the Privacy Commissioner (OPC) of Canada’s 2014-2015 Privacy Act annual report was tabled by Parliament. Privacy Commissioner Daniel Therrien said the number of complaints to the OPC increased slightly during the fiscal year, totaling at 3,977. Therrien has identified four strategic privacy priorities for the next five years, including: the economics of personal information; reputation and privacy; government surveillance, and the body as information. [OPC Press Release] [Federal Government Must Do More to Prevent Breaches] [Globe&Mail: Therrien Wants “Exhaustive Debate” on Bill C-51]

CA – Alberta OIPC Annual Report: Breaches Doubled This Year

Alberta Privacy Commissioner Jill Clayton says she’s alarmed by a near doubling of privacy breaches as well as concerned about “the growing number of court challenges of her investigations.” In her annual report, Clayton said the number of self-reported breaches is up 86% this year compared with the last. Breaches reported include information contained on mobile devices that is not encrypted as well as snoopers spying on family, friends and neighbors. Clayton also said government challenges to her cases are costing taxpayers money and delaying results. [Calgary Herald] See also [A BC Information and Privacy Commissioner adjudicator said government bureaucrats have the right to refuse to disclose email logs and also that it’s unreasonable to release the data with personal information redacted.]

CA – Section 30.1 of BC Privacy Law “Hampering Innovations”

The trend toward storing data on servers anywhere and everywhere, rather than on drives kept physically on site, runs directly into a BC privacy law. It was written 11 years ago to safeguard against U.S. snooping that was allowed by the far-reaching USA Patriot Act. It gets reviewed every 5 years by a committee. Another review is underway, and members have heard an earful recently about how that privacy safeguard — Section 30.1 — hampers public agencies trying to do business in the interconnected world. “It erodes our competitiveness. It’s preventing us from using world-class tools that other universities use in other jurisdictions. It’s adding costs and administrative complexity” says University of B.C. lawyer Paul Hancock (who was representing the four research universities). The College of Registered Nurses has also weighed in on the question of why private bodies routinely handle B.C. citizens’ personal information outside of Canada, but public bodies are forbidden from doing so. [The Victoria Times Colonist]

CA – Ontario’s Bill 113 Passed, What Now?

Timothy Banks provides an overview of concerns about the Ontario Police Records Checks Reform Act, 2015. The Ontario legislature passed the bill last week, but prior to that the Standing Committee heard concerns from stakeholders including the Association of Children’s Aid Societies, the National Association of Professional Background Screeners, the Ontario Nonprofit Network and the Civil Liberties Association. Banks offers an overview of those concerns, where they landed and what the government needs to do to make the law operational. [Full Story] [Ontario Breach Notification Bill Gains Traction]

CA – Trudeau Government Omits Bill C-51 in Maiden Throne Speech

The Throne Speech does not specifically reiterate Trudeau’s vow to repeal or amend controversial provisions in anti-terrorism legislation passed by the previous Conservative government. Among other things, Trudeau has promised to create a multi-party parliamentary oversight committee to monitor the activities of departments and agencies with responsibility for national security. He has also promised to amend the legislation so that it’s clear that legal protests or advocacy can’t be construed as terrorist activities. In what is likely meant to be an indirect reference to those promises, the throne speech says only that “the government will continue to work to keep all Canadians safe, while at the same time protecting our cherished rights and freedoms.” [National Post] See also: [Why nobody should bet on Trudeau ‘fixing’ C-51]


WW – Google Responds to EFF Complaint About Student Data Privacy

“The facts about student data privacy in Google Apps for Education and Chromebooks” responds to the Electronic Frontier Foundation (EFF) complaint regarding Google Apps for Education (GAFE) and other products and services especially Chrome Sync. “While we appreciate the EFF’s focus on student data privacy, we are confident that our tools comply with both the law and our promises, including the Student Privacy Pledge, which we signed earlier this year. …I want to reiterate some important facts about how our products work, how we keep students’ data private and secure, and our commitment to schools, more broadly… [Google Apps Blog]

US – 64% of Shoppers Will Say Bye Bye to Breached Business

Gemalto’s newest global survey entitled “Broken Trust: ‘Tis the Season to Be Wary,” found that 64% of respondents felt they were “unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen,” with 49% feeling that way regarding the loss of their personal information. “The media coverage of massive data breaches has done little to instill consumers’ confidence in how well companies, big and small, are protecting their data,” said Gemalto. “Either companies need to increase their security measures or, assuming that they already have these in place, they need to communicate this to their customers.” [Dark Reading]

WW – License Plate Readers Enter the Mainstream

OpenALPR boasts a cheap license plate reader (LPR) that interested shoppers can purchase online, and privacy advocates agree that the practice is legal. “There is not much in the law that would prevent someone from using the technology unless its use rises to the level of stalking or harassment,” said the Electronic Frontier Foundation. “License plates are exposed to public view, and ALPR companies like Vigilant consistently argue they have a First Amendment right to photograph plates and retain the data they collect.” [Ars Technica]

Electronic Records

US – How Electronic Health Records Are Harming Patients

EHRs are designed to support billing more than patient care, experts say. It shouldn’t come as a surprise that most doctors are unhappy with their electronic health record (EHR) systems, which tend to be clunky, hard to use and may actually get in the way of truly excellent patient care. Doctors’ biggest complaint about the EHR is that it slows them down, especially in the documentation phase. “Compared to handwriting or dictating, EHRs take doctors 9 times longer to enter the data… Sure, you have more information in the EHR than in paper records, but it takes more time.” Other alerts go off to prevent adverse drug interactions with other medications, allergies, or foods. Many of these are inapplicable to particular patients, and after a while, doctors may stop paying attention to them or turn them off. Three quarters of EHRs don’t allow the customization of these alerts. [Source]


US – Comey Calls on Tech Companies Offering End-to-End Encryption to Reconsider “Their Business Model”

Comey and other government representatives have been pressuring companies like Apple and Google for many months in public hearings to find a way to provide law enforcement access to decrypted communications whenever there’s a lawful request. Deputy Attorney General Sally Quillian Yates said in a July hearing that some sort of mandate or legislation “may ultimately be necessary” to compel companies to comply, but insisted that wasn’t the DOJ’s desire. Now, there’s little pussyfooting about it. “There are plenty of companies today that provide secure services to their customers and still comply with court orders,” he said. “There are plenty of folks who make good phones who are able to unlock them in response to a court order. In fact, the makers of phones that today can’t be unlocked, a year ago they could be unlocked.” [The Intercept] SEE ALSO: [Senator Feinstein Working on Legislation to ‘Pierce’ Encryption] and [Don’t breach encryption warns privacy watcher] [How not to report on the encryption ‘debate’ ]and [Advocates and White House Officials Meet To Discuss Encryption Backdoors]

EU Developments

EU – First-Ever Breach Notification Law Passed in the EU

The European Union agreed to its first cybersecurity law, dubbed the Network and Information Security Directive (NISD), which mandates certain companies, like those operating critical infrastructure or financial services, along with Internet companies such as Amazon and Google, to report large-scale security incidents. “The internet knows no border—a problem in one country can have a knock-on effect in the rest of Europe,” said the European Commission’s Digital Chief, Andrus Ansip. “This is why we need EU-wide cybersecurity solutions. This agreement is an important step in this direction,” he added. “Member states will have to cooperate more on cybersecurity, which is even more important in light of the current security situation in Europe,” said European Parliament’s Rapporteur Andreas Schwab in a Computer Weekly report. [Reuters] [Hogan Lovells Summary: Agreement Reached on First EU-Wide Rules to Improve Cybersecurity]

A EU Parliament press release reports that the rapporteur on the general data protection regulation, Philipp Albrecht, is optimistic that the three-way trilogue discussions will result in a final deal by the end of 2015. Learn more

The European Data Protection Supervisor (“EDPS”) has established an external advisory group on the ethical dimensions of data protection; members of the Advisory Group will be appointed for a term from February 1, 2016 till January 31, 2018. Learn more

Facts & Stats

CA – City of Toronto Says You Need Permission to Photograph Your Own Kids in a Park or Outdoor Rink

A Star editor was not happy to be told on a trip to Colonel Sam Smith Skating Rink with his kids that he was allowed to take photos. The city says he technically needs permission, but staff are supposed to use discretion. Since at least 2001, the City of Toronto has had a policy stating:” Patrons wishing to use cameras, video cameras or other photographic devices, including camera phones and PDAs (Personal Digital Assistants), in any program or facility must receive permission from staff before filming. Pictures may only be taken of children/patrons in their personal care. Every attempt should be made to limit or eliminate other patrons from being filmed in the background. When possible staff should make a verbal request for permission to photograph other patrons who may be in the area where pictures are being taken” [Source]


WW – Data Privacy Concerns Hinder Mobile Payment Adoption

Identity theft, payment fraud and data privacy concerns remain the biggest barriers to mass adoption of mobile payment services, according to an Inside Secure survey of 1,217 American consumers. The survey revealed that 17% of respondents who did not make holiday purchases with their mobile phone last year, plan to use a payment service such as Apple Pay, Android Pay, Samsung Pay or a proprietary service from their bank or card issuer to make the leap to mobile payments this holiday season. Seventy percent of people who are not planning to use their smartphone to make in-store holiday purchases state that their concerns about identity theft prevent them from using in-store mobile payment applications. 70% state that their concerns about mobile payment fraud prevent them from using in-store mobile payment apps, and 71% stated that the privacy of their transaction data was a top concern.


UK – ICO Warns of Return to the ‘Dark Ages’ Upon Launches of FOI Review

The Information Commissioner’s Office praised the work of journalists and said the introduction of flat rate fees would be “disproportionate”. On protection given to “internal deliberations of public bodies”, the ICO said current exemptions under section 35 and 36 of the act are “sufficient”. Graham said: “The danger is that the Whitehall machine might run more smoothly, [but] you are back to that world of private government – which I just don’t think fits with the 21st century.” He also suggested Whitehall’s “concern” over the FoI Act is “slightly overdone”, saying a “very small minority” of cases that come to his office result in defeats for the Government. [Source]

Health / Medical

AB – Alberta OIPC Report Finds Health Department Flouts Privacy Law

The Alberta Office of the Information and Privacy Commissioner released an investigation report that found Alberta Health has failed to provide the required oversight to prevent privacy breaches involving electronic health records. The report found a legally-mandated committee charged with overseeing stewardship of data made available through Netcare was effectively disbanded two years ago. Netcare contains millions of records – including lab results, drug prescriptions and hospital discharge summaries – that can be accessed electronically by over 44,000 registered users in health care facilities and doctors offices around the province. [Source]

US – OCR’s Enforcement Efforts Focus on Big Breaches Over Small

Smaller healthcare breaches, like revealing Facebook statuses by doctors or the inappropriate sharing of patient files, rarely get the Office for Civil Rights’ (OCR) focused attention and enforcement efforts that large-scale breaches do. “Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected.” “Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.” Tthis September, the Health and Human Services’ “inspector general issued a pair of reports that criticized [the OCR], including its handling of small breaches,” which found that the “OCR did not investigate the small breaches reported to it or log them in its tracking system.” [NPR]

WW – Survey: Healthcare Pros Unsure Data Sharing, Privacy Can be Reconciled

A Privacy Analytics survey of 271 healthcare professionals determined that more than two thirds of respondents lack confidence in their organizations to share data while protecting privacy. “Confidence in protecting privacy is correlated to an organization’s data management practices,” the survey states. “Respondents whose organizations use de-identification software or third-party de-identification services are more likely to have complete confidence in the ability to responsibly share data for secondary use.” Meanwhile, a CIO Summit survey discovered that “board and leadership involvement is essential in creating the right solutions and strategies for healthcare organizations.” [HealthITSecurity]

WW – OTA Releases Checklist on Smart Device Safety

The Online Trust Alliance (OTA) has released a checklist aiming to help consumers avoid getting hacked as they use any of the 50 million smart devices that will be sold over the holiday season.” That’s 50 million opportunities for data and home network compromises as well as privacy abuses, which is why it’s imperative that consumers follow our guidelines,” said OTA executive director and president. “Consumers should not have to pay twice—once with their credit card and then again in perpetuity with their personal data, identity and safety.” The checklist can be found here. [NetworkedWorld]

WW – Mental Health Apps on the Rise, But What About Privacy?

Scientific American reports on the increase in mental healthcare apps and the privacy concerns that come along with such sensitive data collection. New mobile devices help users diagnose and monitor mental health symptoms, but in order to do so, such technology needs to passively gather constant streams of personal data—including sleep patterns and physical activity. In addition to an alleged lack of evidence-based research proving mental health apps are working, there is also concern that privacy is not appropriately protected. A task force set up earlier this year by the American Psychiatric Association noted, “This is a challenging task given the lack of clinical data on how apps can help or harm patients, serious concerns about privacy and data security and the need for more discussion on related ethical issues.” [Scientific American] In 2013, a study in the JMIR mHealth uHealth, revealed that only five apps targeting depression, anxiety and substance abuse had been tested for clinical effectiveness. A similar study this May in Internet Interventions showed that by last November there were only 10 peer-reviewed published articles for depression apps, and four for bipolar disorder.

Horror Stories

US – University Medical Center Agrees to Pay $15,000 for Breach of Patient Information

An employee of the center provided a list of patient information (names, addresses and diagnoses) to her future employer. The agreement requires the center to provide to the Attorney General its privacy, security and breach notification policies and procedures and notification of any breach of unsecured PHI; all staff must be trained on any new or revised policies and procedures. [New York State Office of the Attorney General – A.G. Schneiderman Announces Settlement With University Of Rochester To Prevent Future Patient Privacy Breaches | Press Release | Settlement Agreement]

US – Moms Sue Mattel Over Talking Barbie

Two mothers have filed a class-action against Mattel claiming the company’s Hello Barbie doll “invades children’s privacy.” The doll uses speech recognition software to talk to kids and then stores the conversations in the cloud, the report states. Users must register the doll and create an account, at which point parents receive an e-mail stating recordings won’t be used for ads and any personal information collected in conversation will be deleted. The plaintiffs say the doll doesn’t comply with the Children’s Online Privacy Protection Act (COPPA) in part because children across the country, friends of doll-owners, have been recorded without their parents’ permission. [Full Story]

Internet / WWW

WW – Support for Old Internet Explorer Sunsets

After January 12, 2016, Microsoft will no longer provide updates for older versions of Internet Explorer (IE). One estimate suggests that as many as 124 million users are running Internet Explorer versions 10 and earlier. The only version of IE that will continue to receive updates after January 12, 2016 is IE 11. [Microsoft] [ZDNet]

WW – Windows XP Embedded Extended Support Expires Next Month

Microsoft is scheduled to end Extended Support Windows XP Embedded, which is still running on many of the UK’s 70,000 cash machines. ATM owners are urged to upgrade their systems prior to January 12, 2016, after which time Microsoft will no longer provide updates. []

Privacy (US)

WW – Top Privacy Stories for 2016: US-EU Transfers, Cybersecurity, and Government Surveillance

Organisations should monitor the following topics in 2016 – Safe harbor 2.0 (may depend on the outcome of the Judicial Redress Bill which is currently before the Senate) and the Network Information Security Directive (“NISD”) which is to be published in 2016 by the European Commission (it will require organisations to take appropriate technical and organisational measures to manage risks posed to the security of networks and report “significant cyber security incidents” to regulators). [Source]

US – Multinational Hotel Chain Must Maintain Detailed Security and Audit Program as Part of 20-Year Settlement Agreement with FTC

The FTC is granted an injunction against Wyndham Hotel Group in relation to alleged unfair and deceptive security practices in violation of the FTC Act. The FTC had filed a lawsuit against Wyndham in 2012 alleging unfair acts or practices related to a security breach. The chain is required to implement and maintain a comprehensive security program (e.g. appointing an individual(s) responsible for the program and conducting risk assessments); a written assessment of the chain’s compliance with the approved standard (defined as PCI DSS or a comparable standard submitted by the chain and approved by the FTC) must be conducted by a qualified and independent third party assessor annually, and within 180 days of a breach of more than 10,000 unique payment card numbers. [FTC v. Wyndham Worldwide Corporation, et al. – Stipulated Order for Injunction – United States District Court For The District Of New Jersey]

US – FTC Explains How Their Enforcement Practices Differ from the FCC

The FCC reclassified broadband as a Title II common carrier service and as a result, the FTC’s jurisdiction over ISP practices is limited; the FTC is concerned that what appears to be a “strict liability” data security standard will actually harm consumers since the costs imposed by a regulator on a legitimate, non-fraudulent company are ultimately born by its consumers (a recent Order by FCC fined an ISP $595,000 when there was no evidence of any consumer harm). [Source]

US – Class Action Lawsuit Alleges Smart TV Manufacturer’s Tracking Software Surreptitiously Collects and Discloses Users’ Viewing Habits

A class action lawsuit filed against Vizio, a smart TV manufacturer, and Cognitive Media Networks, a tracking technology company, (collectively, the “Defendants”) alleges violations of the Video Privacy Protection Act (“VPPA”) and various California laws. [Palma Reed et al. v. Cognitive Media Networks, Inc. and Vizio, Inc. – Class Action Complaint and Demand for Jury Trial – In the United States Court For The Northern District Of California San Francisco Division]

US – Advocacy Group Says All Drones Should be Registered and All Operating Drones Should Have GPS Tracking

An advocacy group submits comments in response to the Federal Aviation Administration (“FAA”)’s request for public comments on drone registration requirements. The FAA should mandate registration for all drones (regardless of size) and require any drone operating in national airspace to include a GPS tracking feature that would always broadcast the owner identifying information; the registration database of commercial operators should be publicly available, but privacy protections should be implemented for hobbyist operators (restricting the use and release of their information for specific purposes).[Comments to the U.S. Department of Transportation, Federal Aviation Administration – Clarification of the Applicability of Aircraft Registration Requirements for Unmanned Aircraft Systems (UAS) and Request for Information Regarding Electronic Registration for UAS – Electronic Privacy Information Center]

Privacy Enhancing Technologies (PETs)

WW – New Privacy-as-a-Service Cloud Tech Unveiled

New technology released this week purports to protect the privacy of users by providing “invisible connections and invisible computers.” Dispel CEO said “We have built an engine that allows us to dynamically generate unattributable, encrypted and ephemeral infrastructure using multiple cloud providers.” The system connects a user’s device to Dispel’s network in a way that does not reveal the user’s identity, location or content. “We are a totally new proprietary technology …There are no fixed network targets and nothing is publicly listed, so users don’t need to trust a random stranger.” [eWeek]

WW – File-Sharing Data in the Cloud Sheds Privacy Light

Cloud provider Skyhigh took stock of 500 companies it serves, finding that 39% of cloud-sent “corporate data” finds its way to file-sharing applications. However, “worryingly from a data security perspective, the average organization shares documents with 826 external domains, which includes business partners and personal email addresses,” the report states, adding that 9.2% of data shared externally includes delicate information. “While there are a lot of numbers in here, there are some patterns that will either be of concern (if you’re a security-conscious CIO within a highly regulated industry) or positive (if you’re involved with a cloud file sharing solution provider),” the report continues. “Either way, surfacing this sort of data helps everyone plan and react to what is going to be a continuing pattern of use.” [Computerworld]

RFID / Internet of Things

CA – Canadian Regulation Should Accord with International Approaches

A law firm discusses the regulation of and the Canadian approach to the Internet of Things (“IoT”). Regulations that are not in line with international approaches can lead to increased regulatory compliance costs to enter the Canadian market and increased barriers to Canadian companies entering global markets; suggested practices issued by the US FTC include data minimization, prioritization of building security into devices, adequately training employees, monitoring devices and reporting security breaches to consumers. [The Internet of Things – Guidance Regulation and the Canadian Approach – Kirsten Thompson and Brandon Mattalo – McCarthy Tetrault]


WW – Majority of 2015 Breaches Due to Employee Error: Global Survey

A cybersecurity report released by the Association of Corporate Counsel has found the most common reason for a data breach at companies is employee error. The report surveyed more than 1,000 in-house lawyers in 30 countries and found 30% of breaches in 2015 were the result of employee error,. Other causes included unauthorized access to data by insiders and phishing attacks. 50% said their company has cyber insurance, with 68% reporting coverage of $1 million or more. [Wall Street Journal]

WW – Ransom Paid By Police and Law Firms to Hackers: Expert

The president of the Privacy and Access Council of Canada says it’s not just individuals and small businesses who are shelling out to hackers who infect their computers with viruses. “Police departments and law firms are very, very attractive targets and they pay quite often,” said Sharon Polsky, a Calgary data protection and privacy expert. “If it’s worth it to them to regain control of their information, absolutely they’re going to pay it,” she said. [CBC]


US – FBI Official Says the Agency Uses Zero-Days, StingRays

FBI executive assistant director for science and technology Amy Hess acknowledged that her agency uses zero-day vulnerabilities in the course of its investigations. Hess also said that the FBI has never issued a gag order to police regarding the use of cell-site simulator technology, often referred to as StingRay. What the FBI does not want disclosed are the “engineering schematics,” or technical details about how the device works. [Washington Post] [ArsTechnica] SEE ALSO: [Feds Ordered to Disclose Data About Wiretap Backdoors] [Judge prods FBI over future Internet surveillance plans]

US – Federal Judge Orders Justic Department to Disclose Wiretap Program Info

A federal judge is ordering the Justice Department to disclose more information about its so-called “Going Dark” program, an initiative to extend its ability to wiretap virtually all forms of electronic communications. The ruling by U.S. District Judge Richard Seeborg of San Francisco concerns the Communications Assistance for Law Enforcement Act, or CALEA.

UK – UK’s Surveillance Camera Commissioner Issues First Annual Report

Report deals with video surveillance cameras, body worn cameras, Automated Number Plate Recognition. [Report]

WW – U.N. Calls for ‘Anti-Terror’ Internet Surveillance

A United Nations report calls calls for Internet surveillance, saying lack of “internationally agreed framework for retention of data” is a problem, as are open Wi-Fi networks in airports, cafes, and libraries. The United Nations is calling for more surveillance of Internet users, saying it would help to investigate and prosecute terrorists. A 148-page report titled “The Use of the Internet for Terrorist Purposes” warns that terrorists are using social networks and other sharing sites including Facebook, Twitter, YouTube, and Dropbox, to spread “propaganda.” The report, released at a conference in Vienna convened by UNODC, concludes that “one of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” Europe, but not the U.S. or most other nations, has enacted a mandatory data-retention law. [CNET]

US Government Programs

US – OPM IG Report Found the Agency Dropped the Ball

The Office of Personnel Management’s (OPM) Inspector General (IG) publicly released its report this week, which found the agency improperly handled how it awarded its contract to the company responsible for the first round of data breach notifications, prompting House Overisght Committee Chairman Jason Chaffetz (R-UT) to call for the resignation of OPM Chief Information Officer Donna Seymour. “I write once again to augment my concerns that Ms. Donna Seymour … is unfit to perform the significant duties for which she is responsible,” he said. “It is troubling that yet another IG report has found that Ms. Seymour failed to effectively fulfill her duties.” According to the IG, the agency’s contractual agreement with vendor CSID violated federal contracting regulations in five ways, including inadequate market research and unreliable contract file. [CNN]

US Legislation

US – Librarians and Privacy Advocates Ally to Condemn Cybersecurity Bill

The American Library Association, the world’s oldest and largest library affiliation, has joined with 18 other groups to issue a letter to the White House and Congress urging lawmakers to oppose the final version of a bill they claim will dramatically expand government surveillance while failing to tackle cyber-attacks. Politicians from both sides of the House have been pushing for stronger cybersecurity measures in the wake of the Paris attacks and the recent San Bernardino shooting. Republican House speaker Paul Ryan has been leading the charge to push through legislation and reconcile two bills, the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement with the Cybersecurity Information Sharing Act of 2015 (CISA), a controversial bill that passed a Senate vote in October. According to the letter’s signatories, the proposed “conference” legislation would:

  • Create a loophole that would allow the president to remove the Department of Homeland Security, a civilian agency, as the lead government entity managing information sharing.
  • Reduce privacy protections for Americans’ personal information.
  • Overexpand the term “cyber threat” to facilitate the prosecution of crimes unrelated to cybersecurity.
  • Expand already broad liability protection for information disclosure.
  • Pre-empt state, local or tribal disclosure laws on any cyber-threat information shared by or with a state, tribal or local government.
  • Eliminate a directive to ensure data integrity.

Moreover, they argue, the legislation would dramatically expand the amount of sensitive information held “by government agencies with dismal records on data security” and institute “blind, automatic transfer of personal information to intelligence agencies, including the National Security Agency, that would be authorized to use the information for non­-cybersecurity purposes.” [The Guardan]

US – Student Privacy Laws Are On the Rise

Student data privacy legislation has been on a tear recently. At the state level this year, 47 states have introduced 186 bills addressing student data privacy, and 15 states passed 28 new laws. Much of the legislation is modeled on California’s landmark Student Online Personal Information Protection Act, effective January 1. Both the U.S. Senate and the House have responded to President Barack Obama’s call for enhancing student data safeguards under the Family Educational Rights and Privacy Act with new legislative proposals. If there’s one privacy goal that commands widespread political support, it’s the protection of student data. But protection from what? [IAPP News] [Data Quality Campaign]

Workplace Privacy

WW – Questions to Consider When Monitoring Employees

There has been an increase in available technology to help organizations better monitor their employees to help protect their property and assets. Any time a business engages in employee monitoring, they also risk alienating their employees or even running afoul of state or federal law. But what kinds of questions should organizations be asking when deciding to track and monitor their workforce? This article looks into an array of monitoring techniques and lays out the types of questions privacy pros should consider when engaging in this important, but potentially controversial, activity. [Full Story]




26 Nov – 06 Dec 2015

Big Data

WW – Smarter Cities Will be based on Open Data, says Expert

Imagine a world where the smart meters used to record and manage energy consumption in homes are used by health care providers to monitor outpatients, or where information recorded by traffic cameras or road sensors is used to help people plan their journeys more efficiently. Regardless of the model being adopted, the success of smarter cities will depend on the liberalisation of data that has been traditionally locked into individual bits of infrastructure. Freeing up that data, and using software to manipulate the information for wider use, will deliver benefits like smarter energy consumption, transportation, city planning and health care in cities. [Out-Law]

WW – Most Businesses Collecting Data They Never Use, Survey Finds

Most companies in the UK, France and Germany collect data they never use, according to a new survey. 22% of respondents admitted that they often collect data that they never end up using, whilst half of those surveyed said it “happens occasionally.” Just over a quarter of respondents (26%) said they always use the data they collect. A lack of internal skills, cost, the time consuming nature of data processing and a lack of “proper data processing tools” were all cited as reasons why organisations do not “fully process” the data at their disposal. In an opinion issued on data protection and the internet of things (IoT) last year, EU privacy watchdog the Article 29 Working Party warned businesses that collect personal data that is not necessary for the purposes they wish to pursue on the hope that they will find a use for it in future that they could be found in breach of EU data protection laws. [Out-Law] SEE ALSO: [Big Data to Become a Big Asset at Deutsche Bank] and [How to Keep Your Customers’ Trust While Collecting and Learning From Their Data] and [The Internet of Things: Guidance, Regulation and the Canadian Approach] and also [Nielsen study on Information Security for Small and Medium Enterprises recently commissioned by Chartered Professional Accountants of Canada]


CA – BC Commissioner Recommends FIPPA Amendments

B.C.’s FIPPA should be amended to require public bodies to have a comprehensive privacy management program (including privacy training and a FIPPA complaints process), require notification of a breach to individuals and the OIPC that would cause significant harm; the current OIPC’s complaint process and review and inquiry process should be streamlined into one process, and the penalties for offences under FIPPA should be raised to a maximum of $50,000 for both general and privacy offences. Other recommendations include requirements for public bodies to document key actions and decisions, to apply de-identification methods to public data sets, correct PI when an individual requests it, amend definitions of “data-linking,” “advice” vs “recommendations” and to enact new comprehensive health information laws. [OIPC BC – Submission to the Special Committee to Review the Freedom of Information and Protection of Privacy Act] [Press Release] [Speech]

CA – BC Supreme Court Rules OIPC Has Responsibility for Breach Remedies

The Supreme Court heard an appeal and cross-appeal of an appellant’s claim of breach of privacy by an employee of the Insurance Corporation of BC. At issue were claims for vicarious liability for breach of privacy, and for negligent breach of a statutory duty. According to the ruling, the BC FIPPA provides a comprehensive complaint and remedy procedure for public bodies that fail to protect personal information; the Commissioner has supervisory responsibility over the adequacy of a public body’s informational security arrangements, can investigate and attempt to resolve complaints and has ordering powers. [Ari v Insurance Corporation of British Columbia – Court of Appeal for British Columbia – 2015 BCCA 468 CanLII] See also: [Quebec Privacy Commission Encourages Organisation to Report Security Incidents [Press Release (French)] [Security Incident Reporting Form (French) ]


WW – Growing up Cyber: Generation Z and Online Privacy

A new study analyses where Generation Z excel in privacy but may need a friendly nudge in the right direction, examining passwords, messaging apps, cybercrime and social media privacy, noting Generation Z became experts in adjusting their privacy settings for fear of embarrassing baby pictures popping up on their friends’ newsfeeds, and are well versed in how to hide information and what to do when something just doesn’t feel right. Case in point, 74% of teen social media users have deleted people from their networks. [Source]


US – New Federal Council Will Hone in On Data Privacy Issues

The Office of Management and Budget is creating a new Federal Privacy Council to make policy recommendations, establish best practices and foster a community of privacy professionals within the federal government. The Privacy Council will be modeled off the Federal CIO Council — a group of agency CIOs that work together to advise on IT priorities. The new council will form in early 2016. [Source] SEE ALSO: [OPM Just Now Figured Out How Much Data It Owns: T he Atlantic] See also: [Lessons learned from the Adobe data breach]


WW – Free Encryption Certificates Now Available to Public

The Let’s Encrypt project is now offering free TLS certificates to the general public. The project, which is run by the Internet Security Research Group, initially ran a trial for a small group of volunteers earlier this fall. The certificates are trusted by all major browsers. [The Register]

WW – Blackberry to Leave Pakistan Over Government Access Demands

BlackBerry has announced it will no longer operate in Pakistan because of local government demands for access to communications. The government wanted access to all Blackberry Enterprise Service (BES) traffic in the country, including all BES emails and messages. “We do not support ‘back doors’ granting open access to our customers’ information and have never done this anywhere in the world,” wrote BlackBerry Chief Operating Officer. [Computerworld]

WW – Dell Installs Root Certificates on Laptops, Endangers Users’ Privacy

Users are reporting that some Dell laptops sold recently come preloaded with a self-signed root digital certificate that lets attackers sniff traffic to any secure website. “If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications,” said the CEO of a major security firm. “I suggest ‘international first class,’ because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.” [PC Advisor] SEE ALSO: [Millions of Internet Things are “secured” by the same “private” keys]

EU Developments

EU – Report Argues Greater Role for DPAs in Supervising Intelligence Agencies

According to a new report by the European Union Agency for Fundamental Rights, there is no consistency in EU Member States’ oversight systems with relation to intelligence services (e.g. in almost half of all Member States DPAs have no competence over intelligence services), and there are gaps between DPAs and oversight bodies; in almost 1/3 of Member States there is no law providing for the obligation to inform and the right of access. [Surveillance by Intelligence Agencies: Fundamental Rights, Safeguards and Remedies in the European Union] [Summary] [EU wants to give national privacy regulators more clout in new U.S. data pact] SEE ALSO: [EU Member States Agree Higher Fines for Firms For Privacy Violations]

EU – Officials Pressing Tech Companies for More Access

E.U. officials want the large U.S.-based technology companies to work with them in providing more access to user data to help fight terrorism. Companies including Facebook, Twitter, Microsoft, Apple and Alphabet’s Google reportedly met with government and law-enforcement officials from the EU to talk about ways of cooperating to fight terrorism. One meeting in Paris with the French PM focused on finding ways to quickly remove propaganda from social networks, but another focus for EU officials was on finding ways to include so-called back doors into encrypted services.” [The Wall Street Journal ]

UK – Snooper’s Charter: Privacy Groups Challenge Controversial Bill

Security experts, civil liberty groups and technology organisations have pushed back against key sections of the recently revealed Investigatory Powers Bill in 46 separate written submissions to the government. Now, as the bill faces increasing scrutiny, V3 has analysed the submissions sent to the Science and Technology Committee to pick out the key arguments, finding strong opposition to approaches on encryption, bulk surveillance and hacking. [Source]

EU – EU-Based Cloud Aims to Solve Safe Harbor Data-Storage Conundrum

European cloud provider Zettabox launched its Zettabox Euro Harbor service, which is geared toward helping U.S. companies comply with post-Safe Harbor data storage. The new service aims to allow companies acting as data controllers and operating in Europe to store their clients’ data in the EU in one of 10 European data centers, offering reassurance to EU customers and regulators that U.S. law enforcement and intelligence services can’t legally access the data stored in such servers. [TechWeek]

EU – “Privacy Bridges” Proposals at Amsterdam Commissioners’ Conference

19 renowned privacy experts from the US and the EU have developed ten practical proposals to increase the transatlantic level of protection of personal data. Most proposals can be implemented within existing different legal systems and are applicable worldwide. It concerns pragmatic bridges that benefit people, companies, governments and supervisory authorities. The experts present their report at the International Privacy Conference at the end of October in Amsterdam. Their paper is now available. [Privacy Conference 2015] [EU-U.S. Privacy Bridges]

UK – ICO Announces Search for Successor

The ICO announced that it is in need of a successor to head Christopher Graham. The job listing notes, “This is a demanding and high profile role as a key UK regulator. The successful candidate will be an outstanding individual with a strong professional track record who is able to take and defend difficult decisions, to win the confidence of a wide range of stakeholders from all sectors and to act as the public face of the organization at a domestic and international level.” The office is based in Wilmslow, Cheshire, with three regional offices, and employs roughly 400. The appointment is for five years. [Press Release]

Facts & Stats

WW – Google Releases Right To Be Forgotten Statistics

Google’s most recent Transparency Report reveals that the search engine took stock of 1.2 million webpages in its right-to-be-forgotten evaluations, eradicating 42% of problematic links, the majority of which were Facebook-borne. “Google doesn’t explain in its data why it removes some links and keeps others,” the report states. “But it dropped clues signaling it takes into account whether someone is a public or private figure, whether it considers crimes to be minor, and whether embarrassing incidents took place during a person’s private or professional life.” The countries with the highest number of requests? France and Germany. [The Wall Street Journal] [Facebook tops Google’s list of domains for ‘right to be forgotten’ requests]

CA – Data Breaches Costs Canadian Companies $250 per Record

IBM partnered with the Ponemon Institute to examine the cost of data breaches in Canada. Twenty-one companies participated in the study, which found that the average per capita cost of a data breach is $250 and the average total organizational cost is $5.32-million. The industries with a per capita data breach of substantially more than $250 were financial, services, technology and energy. Public sector, education and consumer organizations had a per capita cost well below the overall mean value.” [Globe & Mail]


WW – PCI SCC Explains How to Respond to a Breach

The Payment Cards Industry Security Standards Council (PCI SSC) published a three-page guide titled Responding to a Data Breach that articulates its position on the correct response to a security incident at a merchant location where the attack exposed cardholder data. This guidance highlights some of the difficulties in developing proper response procedures, specifically the challenges in mapping out complete, thorough procedures that actually hold up under the stress of an actual incident [IAPP]


CA – Liberal Transparency Reforms Subject to ‘Review’ Next Year

Trudeau has pressed for reform of access to information since 2014, but nothing is planned for 2015. The Liberal government quickly implemented some key policies, including the removal of a gag order on government scientists, shutting down a court case about niqabs at citizenship ceremonies and ramping up Syrian refugee processing. But there has been no directive from the top about releasing more documents under freedom-of-information law, a move the U.S. president made on his first day in office. [CBC]

US – FTC goes ‘Star Chamber’ on Warrant Transparency

Nobody knows how many administrative subpoenas are issued by government agencies. Administrative subpoenas are warrants for records such as private “papers” and emails. They are issued unilaterally by government bureaucrats and are impossible to reconcile with the Fourth Amendment’s requirements of “oath and affirmation” of “probable cause” before neutral judges. Watson and The Daily Caller News Foundation have been issued multiple FOIA requests to various government agencies to get a sense of how many of these subpoenas are issued. [Source]

UK – ICO Guidance for Removing PI When Responding to Access Requests

The UK Office of the Information Commissioner published guidance on how to disclose information safely when responding to information requests. Organisations should control access to files containing personal data and use specific software to permanently redact information intended for release in an electronic format; when considering disclosure of files, organisations should consider if the file contains linked data, meta-data or comments that should be removed. [ICO UK How to Disclose Information Safely – Removing Personal Data from Information Requests and Databases]


CA – Supreme Court Zeroes in on Penile Swabs

The clash between the privacy rights of a criminal suspect and the powers of police is once again before the Supreme Court. This time the court must decide whether police are permitted to force an individual suspected of committing a sexual assault to provide a genital swab for the purposes of obtaining DNA evidence. The trial judge found that the search (leading to a match) was unreasonable but admitted the evidence under s. 24(2) of the Charter. A majority of the Alberta Court of Appeal found that a warrant should have been obtained first, yet it also upheld the conviction under s. 24(2). The other judge on the panel found that this was a legitimate search incident to arrest under the common law powers of police and a warrant was not necessary. Whether a genital swab without a warrant is appropriate should be governed by the same test the Supreme Court set out in R. v. Golden for strip searches according to the Alberta Crown and the Ontario Ministry of the Attorney General, which is an intervener. A genital swab is no different than a test for gunshot residue on a suspect and it is not an intrusion on bodily integrity. [Law Times]

Health / Medical

US – ONC Issues Guidance on PHRs

A report prepared for the Office of the National Coordinator for Health IT provides practical and useful guidance to Health Information Exchange (“HIE”) organizations who are interested in designing and implementing a Personal Health Record (“PHR”) as part of their portfolio of services. [Final Report: HIEs and Personal Health Records Community of Practice: Key Considerations for HIE-based Personal Health Records]

US – White House Issues Medical Guidelines and Funding Opportunities

The White House released the Precision Medicine Initiative (PMI) Privacy and Trust Principles, aimed at building patient trust and protecting patient privacy for precision medicine-related activities last month, as the National Institutes of Health (NIH) announced the availability of $72 million in PMI-related funding opportunities for fiscal year 2016. A Security Policy Framework that will help ensure that security is built into the foundation of the PMI is in development. [Hogan and Lovells]

US – HIPAA Questions Portal a Hit

Some healthcare providers are pleased with the U.S. Department of Health and Human Services’ nascent HIPAA Questions Portal as use of the tool grows. The system allows those in the field to pose questions to HIPAA experts, thus avoiding breaches of protocol. Meanwhile, privacy concerns regarding the app dubbed “the Instagram for doctors” abound. [iMedicalApps]

Horror Stories

US – Toymaker Breach Affects Six Million Children, 4 Million Adults

Toymaker VTech announced the attack on its Learning Lodge app store and Kid Connect messaging system databases exposed the data of 6.4 million children and 4.9 million adults. The largest percent of those affected were in the U.S., with France, the UK, Germany and Canada all in the top five. The stolen data on children included name, gender and birth date; and from adults, name, mailing address, email address, password retrieval questions, IP address and passwords. [The Register] [Washington Post] [Bloomberg] [The Wall Street Journal: VTech Begins Breach Clean-Up] [Reuters] See also: [VTech Hacker Explains Why He Hacked the Toy Company ]

Identity Issues

US – Concerns Over ID Protection Overlook Dangers of Inference

The IAPP VP of Research and Education discusses the debate surrounding de-identification. The discussion thus far has generally focused on protecting identity, but that’s distracted policymakers from a central privacy problem in this age of big data, “the ability of organizations to draw highly sensitive conclusions about you without exposing your identity, by mining information about ‘people like you,’” he writes. As such, the main privacy issue isn’t identity, but inference, because even without identification, “machine-made inferences pose risks to societal values of privacy, fairness and equality.” [Yale Journal of Law & Technology] SEE ALSO: [How Dynamic Data De-Identification Is a Bridge to the Future]

CA – Yukon IPC: Health Numbers, Cards Unsuited for Secondary Purposes, Uses

The Yukon Info & Privacy Commissioner issued comments on the Dep’t of Health and Human Services’ proposed development of regulations under the Health Information Privacy and Management Act  The proposed regulations would allow other uses of health cards for government and non-government programs and services; this presents significant risks, public bodies do not have privacy management programs in place and non-governmental organizations that may use the cards may not be subject to any privacy laws. [Health Information Privacy and Management Act Public Consultation – IPC Comments]

US – Woman’s Ex Used ID-Theft Service to Track Her

An Arizona woman says her ex-husband was able to track her financial movements using an identity-theft protection company after he used her Social Security number to open a bogus account in her name at LifeLock, allowing him to receive alerts and emails when the woman applied for credit cards, leased a car and opened a bank account. “He knew everything I did,” she said. [USA Today]

Law Enforcement

ON – Mental Health, Carding Records No Longer Disclosed by Police

A new Ontario law mandates that police first disclose the results of a record check to the person who is the subject of those records, then that person would have to provide written consent for police to disclose the information to the third party that requested the check. The Liberal government introduced the act after stories emerged of people being stopped at the U.S. border after records of suicide attempts were disclosed and people being prevented from volunteering because they witnessed a crime. This legislation does not cover information sharing between police agencies, so it may not prevent mental health records being used to turn people away at the border. [City News]

CA – RCMP Unveils Plan to Tackle Cybercrime

The RCMP published its Cybercrime Strategy setting out objectives, strategic enablers and 15 actions items to be implemented over the next 5 years. The Mounties’ strategy is designed to tackle technology-based crime that is increasingly moving beyond their ability to investigate because of advanced encryption, the global reach of crime and enhanced privacy protections. Missing in the RCMP report — and the broader debate about privacy versus public safety in Canada — is comprehensive data from police detailing the scope of the problem. [Source] See also: [‘We can’t protect public from cyber crimes’: RCMP boss] [RCMP need warrantless access to online subscriber info: Paulson] [The RCMP wants more online surveillance power. We should say no] [Once again, the RCMP calls for warrantless access to your online info. Once again, the RCMP is wrong]

US – LA Considers Notifying Potential Johns They’re Being Watched

L.A. City Council wants to tackle prostitution by sending “Dear John” letters to the homes of any drivers who linger in the area by taking note of their license plates. Critics call the move “stigmatic” for neighbors, while arguing that some cars, like garbage trucks, aren’t necessarily in the neighborhood for company. Displeasure with being surveilled seems to be the biggest concern, however. “Registered owners will know the city is watching your every move and notifying you of it,” said a commenter at a public hearing on the motion. “If Hitler were here, he would applaud you today,” adding in no uncertain terms that he felt the proposal to be “fascism on steroids.” []


EU – CNIL Identifies When Employees Work Vehicles Can Be Tracked

France’s Commission nationale de l’informatique et des libertés (“CNIL”) published guidelines on geolocation tracking in vehicles. Geolocation devices can be installed on employee vehicles to monitor and charge for a transport service (such as ambulance in the context of billing the health insurance company), for security of employees (e.g., a commercial truck carrying merchandise of great value), and to improve the allocation of resources (e.g., identify the ambulance closest to an accident); geolocation devices cannot be installed to monitor compliance with speed limits. [CNIL Guidelines for the Use of Geolocation Tracking of Employees (French) ]

Online Privacy

WW – Cross-Device Tracking Raises Consumer Awareness Concerns

At a workshop on cross-device tracking, the FTC Chairwoman described the uses of probabilistic models, which make inferences on information over which the user has no control such as shared IP addresses or location information when 2 devices are consistently used together in the same household. This type of tracking raises transparency issues (it employs persistent identifiers), and there are almost no tools that tell consumers which devices are linked together or to them or that allow them to opt-out of the linking of the identifiers. [FTC – Remarks of FTC Chairwoman Edith Ramirez at FTC Workshop on Cross-Device Tracking] See also: [FTC Guidance is Needed for Cross-Device Tracking – CDT] See also: [TD Visa customers’ browsing activities open to ‘surveillance’ by bank; Bank denies collecting general information about what customers do online]

Other Jurisdictions

AU – Australia Introduces New Counter Terrorism Legislation

Australia’s Attorney General introduced new counter-terrorism legislation; the bill includes measures that will allow a control order to be imposed on persons 14 years or older, simplify monitoring of individuals subject to control orders through enhanced search, telecommunications interception and surveillance device powers and introduce a new offence of advocating genocide. [Attorney-General] See also: [AU – Government Unveils Data Breach Notification Bill, Seeks Input]

Privacy (US)

US – EFF Wants FTC to Investigate Google Apps for Ed

The EFF says in a complaint to the FTC that Google’s Apps for Education violates the Student Privacy Pledge the company signed in January, which indicates it will only collect, store or use student data for educational purposes. The EFF found that the company was collecting kids’ personal information through the “Sync” feature in the Chrome browser that “is enabled by default on Chromebooks sold to schools” and says Google is using that information for uses beyond education. Google has agreed to change the settings for computers sold to schools but is “confident that these tools comply with both the law and our promises, including the Student Privacy Pledge.” [The Wall Street Journal]

US – Task Force Recommends Register Drones at Point of Operation, Not Sale

The Federal Aviation Administration’s Unmanned Aircraft Systems (“UAS”) Registration Task Force (“RTF”) Aviation Rulemaking Committee (“ARC”) issued its final recommendation in relation to drone/UAS registration requirements. All drones under 55 pounds must be registered prior to operation in national airspace; a single registration number will cover all drones a registrant owns, who must register on a free web-based system. [Task Force Recommendations Final Report]

US – Lorrie Faith Cranor Named FTC’s New Chief Technologist

Carnegie Mellon’s Lorrie Faith Cranor, will succeed Ashkan Soltani as the FTC’s Chief Technologist, the agency said. “We are delighted to welcome Lorrie to our team, where she will play a key role in helping guide the many areas of FTC work involving new technologies and platforms,” said the FTC Chairwoman. Not everyone reacted positively: “The revolving door of privacy advocates masquerading as Chief Technologists continues at the FTC,” said the Interactive Advertising Bureau. “It’s like they are funding a one semester internship for anyone with advocate bona fides.” FTC Press Release

Privacy Enhancing Technologies (PETs)

US – New PIA Templates, Case Study, Announced

Last year, AvePoint announced a free and downloadable privacy impact assessment automation tool, APIA. Now, with more than 2,500 privacy professionals using APIA in countries spanning the globe, a case study has been published. Also, two new questionnaire templates are now available to help users simplify PIAs and carry out surveys according to recommended best practices: third-party vendor assessment and cloud readiness. [IAPP Resource] SEE also: [Hong Kong DPA Issues PIA Guidance]


WW – Study: Employees Account for 80% of Breaches

Experian’s annual Data Breach Industry Forecast found that 80% of breaches are catalyzed by employees—careless or otherwise. “Unfortunately people doing stupid stuff is the largest cause—it’s as simple as putting a non-production server into production, not turning on a malware or firewall protection or as simple as the lost (unencrypted) laptop or USB key.” [BankInfoSecurity] SEE also: [Fung: Tech Teams Need Ethics Training] [Accessing personal information common practice at RNC, Newfoundland privacy commissioner told]


US – DoJ Testifies on Policy Governing Use of Cell-Site Simulators

The Principal Deputy Assistant Attorney General testified before the U.S. House of Representatives’ Subcommittee on Information Technology Committee on Oversight and Government Reform at a hearing for Examining Law Enforcement Use of Cell Phone Tracking Devices. [Testimony before the House Committee on Oversight and Government Reform – Department of Justice] See also: [UK GCHQ accused of ‘persistent’ illegal hacking at security tribunal] AND: [U.K. Spies Turn Your Cell Phone Into a Bug in Tech War on Terror]

CA – Vancouver Police Deny FOI Request for Cellphone Tapping Info

In September 11, 2015, the Information and Privacy Unit of the Vancouver Police Department (VPD) replied to a July 23 FOI request, explaining that it was unable to provide access to the requested information. In accordance with section 15(1)(C) of the B.C. FIPPA, the VPD refused to release the records requested on the grounds that any disclosure would be harmful to law enforcement. And furthermore, in accordance with section 8(2) of the act, the VPD refused to confirm or deny that any such records existed. The VPD’s response reminded many in the press that the Harris Corporation has, in the past, required U.S. law enforcement agencies buying its brand name StingRay technology to sign non-disclosure agreements (NDAs), requiring questions from the press and the public to be answered as obliquely as the VPD answered the Pivot FOI request. [Source]

Telecom / TV

US – National Security Letter Content Revealed

A US District court judge has allowed a former ISP owner to disclose the content of a National Security Letter he received in 2004. NSLs come with gag orders, forbidding recipients from disclosing their contents or even revealing that they have been received. The document reveals that the FBI sought the target’s entire web browsing history, the IP addresses of everyone the target corresponded with, and a record of all the target’s online purchases. [] [ArsTechnica] [] [Newly published FBI request shines light on National Security Letters]

US Legislation

US – Sen. Announces Proposed Surveillance Bill

As the government said goodbye to the NSA bulk phone record surveillance program, Senator Tom Cotton (R-AR) introduced the Liberty Through Strength Act II, a bill that aims to “let the government keep the phone records it has already collected for five years.” According to critics, the bill is “Big Brother on steroids.” FreedomWorks’ CEO took umbrage with Cotton and others who “are willing to sacrifice our liberties on the altar of security” and “treating Orwell’s 1984 as a how-to guide instead of a warning.” [SC Magazine] SEE ALSO: [Chat, text, email – Congress moves to stop government snooping]

Workplace Privacy

WW – New Employee Monitoring Software Opens Up Range of Legal Issues

Canadian employers looking to track workplace satisfaction and productivity are taking inspiration from foreign companies that use personal data trackers and data analysis to improve employee performance. However, employers looking to gain the benefit from such programs should prepare for workers raising challenges related to this new practice. Incidental breaches of privacy abound, as do concerns whether the employer’s use of data unfairly prejudices certain employees. Finally, data associated with an individual employee may become disclosed in the course of wrongful dismissal claims. Before using data to track employee productivity, employers would be wise to develop human resources policies in anticipation of challenges raised by workers, as well as to make workers aware of how data will be used. At this early stage, employers may even want to “decouple” data so that it cannot be linked with an individual employee. [Lawyers Weekly] See also: [The Chilling Effect of Privacy Invasion]

CA – Federal, BC and Alberta Commissioner Issue BYOD Guidance

The underlying message contained in the Guidelines appears to be “proceed with caution, if at all”. Implementing a BYOD arrangement for employees should not be taken lightly and the Guidelines raise a number of issues which must be carefully considered prior to moving ahead with such an arrangement. The complete Guidelines can be found here. The Guidelines are summarized at [Lexology] [Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization] Se ealso: [IAPP BYOD Resources]





16-25 November 2015

Big Data

UK – ICO Recommendations to Committee Inquiry on Big Data

Data anonymisation removes an area of risk for organisations (since the data will no longer be personal data subject to the Data Protection Act); organisations that re-identify individuals from anonymised datasets take on all the responsibilities of a data controller (including telling individuals concerned that they are processing their personal data), and are subject to regulatory action if processing personal data without an individual’s knowledge. [ICO]

WW – MAC addresses: the Privacy Achilles’ Heel of the Internet of Things

A MAC address is a unique identifier for a device, and for something regularly worn or carried by a person, it is effectively a unique identifier for that person. To illustrate what sort of information can be deduced from a MAC address, American designer, innovator and anti-surveillance specialist Adam Harvey demonstrated a program which secretly obtained the MAC addresses of smartphones present at an IT security event. He was able to find the Wi-Fi networks that each phone had connected to and thus trace the owners’ movements around the world. Harvey spoke of how such information could be used: “If I were malicious I could construct a highly targeted phishing attack by saying ‘I see you’ve been to the Grand Hotel, did you enjoy your stay there?'” The MAC address could also be used by malicious actors to trigger a bomb when a certain person enters a room, or by a workplace to secretly track employees’ movements. “The uses are endless, and when you don’t have a way of controlling the MAC address then you’re forced to reveal yourself. It’s not much different to walking around electronically naked, as Edward Snowden said. Of all the metadata consumers are aware of, location is the one that touches intuitively on their privacy sensitivities. It’s why they avoid downloading apps with location permissions, or turn off that service for apps that seek access to location.” Consumers are right to be concerned, location is the most insightful of data. A 2012 survey by the Pew Research Centre (PDF) found that 54% of smartphone users had decided not to install an app after learning how much personal information they would need to share to use it, while 30% disabled location on their phone. A later survey by Trust-e found that after contacts, location data was the information that users are most reluctant to share. [Computing]


CA – 2015 Theme #1: Acceleration of Privacy Class Actions

The past year has seen a number of decisions in privacy class actions. They confirm that privacy claims in tort can co-exist with comprehensive privacy statutes (at least in Ontario), that the tort of “publicity given to private life” may exist in Canadian law, that class representatives in privacy cases may conceal their identities with pseudonyms in appropriate cases, and that the focus of discovery in privacy class actions will be on defendants’ obligations and conduct. All of the decisions discussed in this article eliminate or reduce potential obstacles to privacy class actions, and so they may signal that more privacy class actions will be brought and potentially certified in 2016. [Lexology] See also: [A New Era for Privacy Class Actions – Hopkins v. Kay and Implications for the Health Industry]

CA – SK OIPC Issues Privacy Impact Assessment (PIA) Guidance

The Saskatchewan Privacy Commissioner’s new guidance includes how, when, what questions to ask when conducting a privacy impact assessment (PIAs should conducting to assess whether a project complies with privacy legislation). Some questions organisations should ask is whether PI/PHI will transmitted, processed, and/or stored, does the legislation authorize the collection of PI/PHI, will PI/PHI be stored within the province, and are there policies and procedures in place to guide employees on the handling of the PI/PHI. [Guidance] [Press Release] See also: [Privacy Breach: OIAPC NB Finds Department of Health Did Not Conduct A Privacy Impact Assessment Before Implementing System Changes]

CA – BC OIPC Recommends Social Media Companies, Schools and Government Develop Cyberbullying Strategies

Social networks should develop policies/processes to permit the removal of PI in cases of cyberbullying or where it has been inappropriately posted without consent; schools should ensure their codes of conduct address cyberbullying, and the government should develop prosecution guidelines for the application of criminal law to cyberbullying cases. [Press Release] [Report]

CA – Superior Court Finds IPC Decisions Covered by Parliamentary Privilege

The IPC’s MFIPPA tribunal function relates only to access to information appeals and does not include adjudication of complaints regarding privacy breaches (but it can do so at its discretion to assist in reporting to the legislature on the practices of institutions); requiring the IPC to investigate would undermine the Legislature’s confidence in the IPC’s ability to prioritize cases that warrant investigation, or allocate resources – the Court does not have jurisdiction to decide whether the IPC properly refused to investigate a complaint or not. [de Pelham v Peel Regional Police Services – 2015 ONSC 6558 – CanLII]


US – Data Privacy and Security Curriculum Released for K-12 Schools

It is essential that children learn about data privacy and security. Their lives will be fully enveloped by technologies that involve data. But far too little about these topics is currently taught in most schools. The Internet Keep Safe Coalition (iKeepSafe), a nonprofit group of policy leaders, educators, and various experts, has released the Privacy K-12 Curriculum Matrix. It can be used by any school, educator, or parent. It contains an overview of the privacy issues that should be taught, including which details about each issue should be covered in various grade levels. It includes suggestions for appropriate learning activities for each grade level. Data security is encompassed within this curriculum too, as it is deeply intertwined with privacy. [Daniel Solove]

Facts & Stats

WW – Google Receives 2 Million Privacy Takedown Requests Each Day

Google has come clean about the number of privacy takedown requests it’s currently receiving from copyright holders around the world. The web giant’s latest Transparency Report confirms that it is being served with a staggering 2 million of these requests each day. That figure – which equates to 25 requests a second or around 2,160,000 a day – has doubled over the last year as the war on piracy rages on. These stats include multiple takedown requests for the same website, so last month’s came from 5,492 rights holders about 72,207 domains. []


CA – BC Commissioner to Audit Vancouver’s Info Management Practices Following Provincial Scandal

The City of Vancouver’s handling of access to information and protection of privacy is coming under the microscope of the BC Privacy Commissioner, who said it isn’t acting on a complaint but wants to make sure Vancouver’s record-handling practices comply with the provincial Freedom of Information and Protection of Privacy Act. “Unlike the Oct 2015 Access Denied report [Press Release] which was focused on responding to specific complaints, this is a broader, in-depth report. It is part of our audit and compliance program,” said spokeswoman. [Vancouver Sun] SEE ALSO: [Dark Picture Painted of B.C. Information Laws at Vancouver hearings] and [Vancouver Mayor Robertson Defends City Hall’s Access To Information Practices] [B.C. information watchdog says probe of Vancouver city hall will delve deeper than investigation of B.C. governmentText

Health / Medical

AU – Australian DPA Document Identifies When PHI May Be Processed for Research Purposes

Circumstances under which collection may take place without consent include where the research is relevant to public health or safety, it is impracticable to seek consent, were de-identified data does not serve the research purpose, or where collection is required by law or in accordance with rules/guidelines. [Office of the Australian Information Commissioner: Business Resource: Collecting, Using and Disclosing Health Information for Research]

AU – Australian Privacy Commissioner Issues Guidance on Direct/Indirect Collection of PHI

Health information must be collected directly from the patient unless it is not reasonable or practical to do so based on factors such as how sensitive the information is, whether a reasonable person might expect their information to be collected directly or indirectly, what is accepted practice by consumers and the health sector (e.g. a pathologist collecting a specimen and accompanying information from a referring provider) or emergency situations where it is collected from relatives. [OIC Australia – Consultation Information – Collecting Patients Health Information]

Law Enforcement / Security

US – Police Body Cams Found Pre-Installed With Notorious Conficker Worm

Multiple police body cameras manufactured by Martel Electronics came pre-installed with Win32/Conficker.B!inf, according to security firm iPower. When one such camera was attached to a computer in the iPower lab, it immediately triggered the PC’s antivirus program. When company researchers allowed the worm to infect the computer, the computer then attempted to spread the infection to other machines on the network. iPower decided to take the story public due to the huge security implications of these cameras being shipped to government agencies and police departments all over the country. It’s troubling because the cameras can be crucial in criminal trials. If an attorney can prove that a camera is infected with malware, it’s plausible that the vulnerability could be grounds for the video it generated to be thrown out of court, or at least to create reasonable doubt in the minds of jurors. Infected cameras can also infect and badly bog down the networks of police forces, some of which still use outdated computers and ineffective security measures. [Ars Technica]


WW – How Uploading Pictures of Your Pet Cat Can Breach Your Privacy

A Florida professor has shown how innocently uploading a picture of your pet cat can allow stalkers to pinpoint exactly where the image was posted. He created a website ‘I know where your cat lives‘ to raise awareness of how people were giving up their privacy online. Location data is often added to images via the camera itself or an accompanying app, providing details on where the photo was taken to within eight metres. He launched the website in July 2014 which now has 5.3 million cat pictures taken on social media from sites such as Instagram and Flickr plotted on a Google Atlas map. The map can zoom into a specific location. “Geographic data is sensitive. A picture can only say so much. But if someone wants to do you harm or stalk you, or you live in a place where free speech is limited, anyone can track where you are.” [Mail Online]

Other Jurisdictions

WW – Five Things You Need to Know About Transferring Data Out of Europe

The U.S.-EU Safe Harbor agreement on transatlantic data transfers is dead. What now?

  1. It only concerns personal data
  2. It’s not the only way to transfer data legally
  3. Your cloud provider may already have your back
  4. Even the alternatives to Safe Harbor may prove inadequate
  5. January 31 is when things get interesting  [ComputerWorld]

CA – Trans-Pacific Partnership: Key Takeaways from the Legal Text

Multiple elements of the TPP – including the chapters on electronic commerce, telecommunications and intellectual property – will have an impact on privacy. Most notably, the chapter on e-commerce places limits on restricting international transfers of information. The TPP requires each country to allow the cross-border transfer of information, including personal information, by electronic means when this activity is for the conduct of the business of a covered person. A country may, however, have its own rules concerning electronic transfers of information to achieve a legitimate public policy objective, provided that the measure (i) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (ii) does not impose restrictions on transfers of information greater than are required to achieve the objective. The TPP also prohibits the imposition of measures requiring a covered person to use in-country data centres as a condition for conducting business in that country, unless the measures can be justified as necessary to achieve a legitimate public policy objective and meet conditions of not being discriminatory, arbitrary or a disguised restriction on trade. Exceptions for the application of the above rules have been provided for financial institutions, public procurement or information processed on behalf of the government. [Osler Law]

Mobile Privacy

WW – Key Takeaways on Mobile Apps and Privacy Study

A new Pew Research Center report examines more than 1 million apps available in the Google Play Store from June to September 2014 and explores the wide range of permissions that Android apps require as a condition of use. Pew Research also surveyed Americans about their privacy concerns relating to apps and found many are cautious when it comes to how apps use their personal data. Here are five takeaways from the report:

1)   6/10 downloaders chose not to install an app when they discovered how much personal information the app required in order to use it. Separately, 43% have uninstalled an app for the same reason after initially downloading it.

2)   A majority cited concerns about how their personal data are used as a reason why they would or would not download an app.

3)   Most Android app permissions seek access to a device’s hardware, rather than a user’s personal information.

4)   The most common Android app permissions allow access to a smartphone’s internet connectivity. The average app requested five permissions before installation.

5)   A majority of Android apps we analyzed were free. On average, free apps ask for two more permissions than paid apps (six permissions vs. four).

[Pew Research] Details on the full methodology are available here.

Workplace Privacy

CA – Employer Cannot Use Video Surveillance for Disciplinary Purposes: Ontario Arbitrator

The collective agreement between the employer and the union prohibited the use of video surveillance for any purpose other than security and the employer’s own policies stated that video footage would only be used in the event of a complaint (there was no complaint against the employee). [The Corporation of the City of Niagara Falls v Amalgamated Transit Union Local 1582 – 2015 ONLA 67502 – CanLII]





01-15 November 2015


US – Retailers Test Out Facial Recognition

Retailers are deploying and experimenting with facial recognition technology designed to identify suspected thieves. After several months of experimentation in some of its stores, Wal-Mart decided not to use the technology. “We were looking for a concrete business rationale,” said a Wal-Mart spokesperson, adding, “It didn’t have the ROI.” The technology, made by California-based FaceFirst, scans customers’ faces as they walk into the store and compares the images to find matches with alleged offenders. According to FaceFirst, they do not retain images of every customer, only the suspects or people who resemble a suspect. Though FaceFirst said its software is accurate 98 to 100%of the time, one critic said that some companies have concluded that facial recognition is “not ready for prime time.” [Fortune]

US – Plaintiffs Ask Judge to Let Facebook Suit on Facial Tagging Proceed

Facebook users in Illinois are asking a federal judge to allow a federal lawsuit to proceed that accuses the social media site’s automatic tagging feature of violating an Illinois privacy law by storing users’ faceprints. A 2008 law in the state mandates companies collect written consent from subjects before collecting biometric data and also requires notice be provided, as well as a schedule for data destruction. Facebook has asked U.S. District Court Judge James Donato to dismiss the potential class-action, the report states, but the plaintiffs’ lawyers say the case should proceed in the name of protecting Illinois citizens’ privacy. [MediaPost]


CA – Supreme Court Paves Way to Medical Class Action Suit

The Supreme Court of Canada will not hear an appeal to a case in which hundreds of patients’ medical records were accessed inappropriately by Peterborough Regional Health Centre staffers. The Supreme Court’s decision means the case will proceed to trial, which may “open the way to privacy class-action lawsuits.

CA – BC Commissioner to Audit City of Vancouver

The British Columbia (BC) Information and Privacy Commissioner Elizabeth Denham is looking into the access-to-information requests and privacy practices of the City of Vancouver to ensure the city is in compliance with the provincial Freedom of Information and Protection of Privacy Act.

CA – Ontario MPP Proposes Smart Meter Security Law

Toronto Danforth MPP Peter Tabuns is concerned Ontario’s smart meters are vulnerable to hacking and privacy breaches. In response, he plans to table a private members bill to shore up the security gaps.

CA – NB Commissioner Rules WorkSafeNB “Violated its Own Rules”

WorkSafeNB “violated its own rules” when it shared some of its workers’ data without their consent, says New Brunswick Privacy Commissioner Anne Bertrand. After an injured worker complained that her information had been shared with a polling firm, Bertrand’s office investigated.

CA – TPP Criticized for Restrictions on Data Residency

While the deal aims to make e-commerce easier, some critics say the Trans-Pacific Partnership trade agreement’s verbiage may override some provincial laws that require data be stored on local servers to keep Canadians’ personal information safe.

CA – MB Health Minister to Review Health Record Access Laws

Health Minister Sharon Blady has promised to review health-record access laws after providers refused to give family members access to a missing mental health patient’s records citing Manitoba’s Personal Health Information Act.

CA – Federal Commissioner Comments on Drones with Camera

Federal Privacy Commissioner Daniel Therrien says regulations to restrict the use of camera-equipped drones in certain “sensitive” areas is needed. Transport Canada has said it will issue new guidelines for small drones at some point in 2016.

CA – Ontario Liquor Board to Comply with Order, Purge Records

The Liquor Control Board of Ontario is now complying with a privacy commission ruling that it must destroy the records of beer, wine and spirit club members.

CA – Former BC Commissioner to Review Email Retention/Deletion Policy

Former BC Information and Privacy Commissioner David Loukidelis has been hired to conduct an assessment on how best to implement recommendations for government retention and deletion of emails.


WW – Study: 2016 a “Tipping Point” for Privacy Fears

A Forrester Research study indicates that 2016 will be a “tipping point” for online privacy concerns, “prompting regulators to crack down on companies, and consumers to demand greater protection.” Businesses “also stand to suffer the most when consumers decide to prioritize privacy over convenience, something that is already beginning to shape behavior,” the report continues. Other privacy trends the study highlights are: customers “paying for fewer ads, with more privacy; regulatory wrath against privacy violators, and California as incubator of privacy protections.” Specific trends aside, Forrester urges companies to act. “Don’t wait for federal regulation to get your privacy house in order,” the study says. [NBC News]

US – Companies’ Terms Increasingly Forbid Class Actions

Legal experts with the American Association for Justice and Sen. Al Franken (D-MN) and Rep. Hank Johnson (D-GA) met Monday to discuss a recent investigation that found an uptick in the number of companies preventing consumers from filing class-action lawsuits via arbitration clauses. Such clauses generally say product disputes can only be settled “by privately appointed individuals or arbitrators, rather than through the court system,” the report states. “Forced arbitration is not voluntary, it’s not just and it’s not fair,” Johnson said. The Consumer Financial Protection Bureau last month said it’s considering rules to prevent the practice. [The Hil]

WW – Study: Data Goes to Companies Users Trust

A Center on Global Brand at Columbia Business School and Aimia survey of 8,000 consumers in the U.S., Canada, the U.K., India and France found that while “80% of those polled said they would share data for rewards,” the amount of information disclosed often depends on the amount of trust they have for a brand. Among the most trusted companies? Consumers named organizations like Bank of America, Delta, T-Mobile, Walmart and Facebook. Regardless of brand confidence, the study found that “home address, mobile phone, name and date of birth were personal data consumers felt most sensitive about,” the report states. [MediaPost]

WW – Smart Packaging and RFID-Blocking Wallets

A report analyzes the rise in privacy concerns around RFID packaging, particularly with RFID-blocking wallets. Since many credit cards contain RFID chips, consumers are starting to use protective wallets to secure against adversaries skimming their credit card numbers. “The irony illustrates,” the report reads, “the dilemma faced by RFID: the more it becomes mainstream, the more it generates screams.” The efficiency and convenience of smart packaging—including RFID-enabled packaging at the item level—holds a lot of promise, the report states, but the corresponding rise in privacy concerns may slow mainstream adoption. “So will we ever see a marriage of RFID and packaging?” the report queries. “If we do, it will be because of the successful resolution of privacy concerns, giving new meaning to the phrase, ‘a marriage of convenience.’” [Packaging World]


US – Study: Government Agencies Among Most Repeatedly Breached

A Risk Based Security (RBS) study finds that 21 of the 99 organizations suffering breaches multiple times are government-based, with the Internal Revenue Service and the U.S. Office of Veteran’s Affairs among the Top 10 “Most Breached Organizations of All Time.” A “variety of factors” contribute to the repeat breaches, RBS CISO Jake Kouns said in the report, pinpointing elements like the “juicy” nature of information and “the scale of the agencies’ environments and assets,” he said. Meanwhile, The New York Times reports that the appointment of Beth Cobert as director of the Office of Personnel Management faces an uphill battle in the Senate, while the Department of Homeland Security will begin to employ 1,000 cybersecurity professionals “as part of the government’s ongoing plan to address cyber risks.” [Dark Reading]

US – US Government Agencies Earn Poor Grades on Initial FITARA Report Card

Most US government agencies have not done well in implementing the Federal Information Technology Acquisition Reform Act (FITARA) requirements. According to a report card from the House Oversight and Government Reform Committee, agencies averaged a “D.” The grades are being viewed as “an initial assessment” to identify areas that need attention and improvement. The four categories on which the agencies were graded are data center consolidation; IT portfolio review savings; incremental development; and risk assessment transparency. [NextGov] [NextGov]


US – The Clinton Emails and Changing Privacy Expectations

Lawrence Cappello analyzes how the public release of former Secretary of State Hillary Clinton’s emails “represents a clear historical break from the privacy protections traditionally afforded Cabinet members.” Cappello notes that, traditionally, such high-level correspondence is only released after a 30-year delay, “in the interest of giving government officials space to express controversial ideas” without fear of political retribution. “For the same reasons that individual citizens need privacy so that they can better formulate ideas, assess their surroundings and respond to problems intelligently, so too do government officials need privacy to reflect on the long-range effects of their policies and to engage in frank discussions aimed at finding intelligent solutions,” he writes. [The Atlantic]

Electronic Records

US – PMI’s Privacy and Trust Initiatives Published

The Obama Administration’s Precision Medicine Initiative’s (PMI) Privacy and Trust Initiatives have been released, the White House said in a statement. “The Privacy and Trust Principles are organized into six broad categories: governance that is inclusive, collaborative, and adaptable; transparency to participants and the public; respecting participant preferences; empowering participants through access to information; ensuring appropriate data sharing, access and use, and maintaining data quality and integrity,” the report states. “These principles are intended to establish a foundation for future PMI activities to ensure that privacy has been built into the core of the Initiative and that privacy is maintained as a central priority of PMI throughout all components,” the report continues.[]


EU – Bill Could Eradicate End-to-End Encryption

The proposed Investigatory Powers Bill, championed by Prime Minister David Cameron, would strip organizations’ ability to provide end-to-end encryption. “We need to find a way to work with industry as technology develops to ensure that, with clear oversight and a robust legal framework, the police and intelligence agencies can access the content of communications of terrorists and criminals in order to resolve police investigations and prevent criminal acts,” a spokesman for the Home Office said. Added Cameron, “as Prime Minister I would just say to people ‘please, let’s not have a situation where we give terrorists, criminals, child abductors, safe spaces to communicate.’” [The Daily Telegraph] See [Lacking Disk Encryption Quality For Mobile Devices]

WW – Tor Claims Government paid University to Uncover Users’ IP Addresses

According to the head of the Tor Project, the FBI paid researchers at Carnegie Mellon University US $1 million to identify users of the anonymizing network. Neither university officials nor the FBI have responded to the allegations, although a CMU spokesperson asked “to see the substantiation for their claim.” In August 2014, CMU researchers were scheduled to give a talk on cracking Tor at the Black Hat conference, but the briefing was pulled from the schedule. [Ars Technical] [Wired] [The Register] [BBC]

[Tor Statement] [Black Hat Talk Cancellation Notice]

US – Gmail Will Warn Recipients of Unencrypted Messages

Gmail will start notifying users when email in their inbox was sent overan unencrypted connection. The change will be rolled out over the next several months. Google hopes the practice will encourage the use of encryption and strong authentication. [DarkReading] [ZDNet] [NBC News] SEE ALSO: [Let’s Encrypt To Open Beta On December 3rd 2015]

US – Encryption App Signal Comes to Android

The Edward Snowden-used and –blessed, hyper-encrypted talk-and-text mobile app Signal is now available to Android users. The free, newly streamlined program, developed by Open Whisper Systems, is reportedly so secure that it consistently draws the ire of the FBI and a smattering of governments across the world. “Every time someone downloads Signal and makes their first encrypted call, FBI Director Jim Comey cries,” the American Civil Liberties Union Lead Technologist, Chris Soghoian tweeted. “True fact.” [Wired]

EU Developments

EU – Cross-Atlantic Group Pens Letter Asking New Safe Harbor Be Scrapped

While EU and U.S. officials are working on drafting a new data-transfer agreement to replace the now-defunct Safe Harbor, 20 EU and 14 U.S. NGOs have sent a letter to both European Commissioner for Justice, Consumers and Gender Equality Vera Jourová and U.S. Secretary of Commerce Penny Pritzker to ask that they shift their focus to “commit to a comprehensive modernization of privacy and data protection laws on both sides of the Atlantic.” A “Safe Harbor 2.0,” the letter said, “will not provide a viable framework for future transfers of personal information.” Instead of simply writing something similar in nature to the Safe Harbor deemed invalid by Europe’s highest court, the human rights and privacy organizations wrote that it’s the privacy laws themselves that need to be rewritten. Meanwhile, the EU-U.S. Ministerial Meeting on Justice and Home Affairs highlighted their work on trans-atlantic data protection in its “final statement,” released Friday. [Ars Technica]

EU – Facebook! You’ve Got 48 Hours to Stop Tracking People

Facebook has been ordered to stop tracking people that don’t have accounts with it in the next 48 hours or face daily fines of 250,000 euros. The decision by a Belgian court follows a case brought by the country’s privacy watchdog earlier this year in which it argued that the social media company was tracking everyone that visited pages hosted on its website, regardless of whether they were users of the service. If users “like” or share a Facebook page, they also have a cookie installed in their browser, whether or not they are logged in or have an account with the company. By not explaining what it did with the data or asking for consent, the company was breaking local privacy laws, argued the Belgian Privacy Commission. And the court agreed. [The Register]

EU – Belgian Court Rules Facebook Must Desist With Datr Cookie

Facebook plans to appeal a Belgian court ruling that mandated a cease-and-desist of “datr cookie” use. The cookie allegedly tracks the online habits of non-Facebook users after visiting the site. “We’ve used the ‘datr’ cookie for more than five years to keep Facebook secure for 1.5 billion people around the world,” a spokeswoman said. “We will appeal this decision and are working to minimise any disruption to people’s access to Facebook in Belgium.” Meanwhile, the site announced that its “Messenger” tool will employ facial recognition technology for an “easier, faster way to share photos.” [Reuters]

WW – ICDPPC Releases Special Edition Communique

Following last month’s conference in Amsterdam, the Executive Committee of the International Conference of Data Protection & Privacy Commissioners (ICDPPC) has released a “special edition” of its newsletter. ICDPPC Chair John Edwards, who is also the privacy commissioner of New Zealand, wrote, “The two Closed Session discussions proved to be more topical than we could have anticipated when we conceived them earlier this year, with the rapid commercialisation of genetic technologies and the ECJ decision in Schrems … illustrating how important it is for DPAs and others concerned with privacy to engage in a public conversation about intelligence and security.” [ICDPPC]

UK – UK Draft Investigatory Powers Bill

UK Home Secretary Theresa May presented the Investigatory Powers Bill earlier this week. Both houses of Parliament will examine the draft legislation before developing a final version and voting on it. Among the draft bill’s provisions are a requirement that Internet service providers (ISPs) retain users’ browsing history data for one year, and increased powers for law enforcement to gain access to data. [] [SC Magazine] [] [Ars Technica] [ZDNet] [The New York Times]

UK – Snooper’s Charter Debut Garners Jeers

After the Investigatory Powers Bill was unveiled in Parliament, critics are officially and powerfully spooked. The bill would “take the UK closer to becoming a surveillance state,” Amnesty International said. “The bill proposes the authorities be given the right to retrospectively check people’s ‘internet connection records’ without having to obtain a warrant,” records that are “a very valuable target for criminals to go after,” said Andrews & Arnold’s Adrian Kennard. The legislation also aims to totally eradicate end-to-end encryption, which led Wikipedia founder Jimmy Wales to tweet, “I would like to see Apple refuse to sell iPhones in UK if government bans end-to-end encryption. Does Parliament dare be that stupid?” Meanwhile, The Guardian studies how Snowden’s surveillance revelations impacted the U.S. and the UK differently. [Reuters]

EU – Snooper’s Charter Criticism Grows Louder

The draft Investigatory Powers Bill continues to rile up privacy advocates and tech giants alike. “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,” said United Nations Special Rapporteur on Privacy Joseph Cannataci. “If your oversight mechanism’s a joke, and a rather bad joke at its citizens’ expense, for how long can you laugh it off as a joke?” Tim Cook, CEO of Apple, also expressed his displeasure for the bill, especially its mandate of backdoor encryption. “Any backdoor is a backdoor for everyone,” Cook said. “Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.” [The Daily Dot]

EU – MEPs Vote to Pardon, Protect Snowden; DPAs Call for Transparency

In a resolution, Members of the European Parliament (MEPs) announced that “too little has been done” to protect citizens from electronic mass surveillance since the Snowden revelations. In a vote of 342 to 274, MEPs called on EU member states to “drop any criminal charges against Edward Snowden” and to grant him protection. Snowden tweeted the vote was “extraordinary.” Meanwhile, more than 30 privacy and civil liberties organizations are challenging U.S. Director of National Intelligence James Clapper to disclose how many Americans are spied on under Section 702 of the Foreign Intelligence Surveillance Act. And international data protection authorities are calling on governments worldwide to boost transparency via a resolution proposed at the 37th International Privacy Conference in Amsterdam. [Europarl]

EU – Other Privacy News

At the ISSE 2015 conference, Assistant European Data Protection Supervisor Wojciech Wiewiorowski argued that even though the ECJ ruled against the legitimacy of the Safe Harbor framework, “the ruling did not say the Safe Harbor processes themselves were invalid, but that they were simply not enough.”

Russian authorities have allegedly told Twitter that it must store Russian users’ data in the country or face the potential of being blocked and fined. Russian Internet regulator Roskomnadzor issued the warning, even though in July it had said Twitter would not have to comply with Russia’s new data localization law.


The draft Investigatory Powers Bill continues to rile up privacy advocates and tech giants alike. “The snoopers’ charter in the UK is just a bit worse than scary, isn’t it,” said United Nations Special Rapporteur on Privacy Joseph Cannataci.

The proposed UK Investigatory Powers Bill would strip organizations’ ability to provide end-to-end encryption. Meanwhile, Conservative MP Theresa May has promised that the Investigatory Powers bill will not be a repeat of its 2012 iteration, touting the removal of its “contentious” bits.

The Spanish data protection authority has sent letters to Safe Harbor-certified companies operating in Spain outlining necessary steps that companies must take.

Digital Rights Ireland is accusing Ireland of failing to guarantee the independence of the data protection commissioner.

The UK Information Commissioner’s Office has fined the Crown Prosecution Service 200,000 GBPs for not ensuring adequate data security of laptops containing sensitive law enforcement interviews with victims and witnesses.

Facts & Stats

US – Study Ranks Companies on Privacy Score

In an interview with DW, Ranking Digital Right’s (RDR) Director Rebecca MacKinnon discussed the results of RDR’s Corporate Accountability Index 2015 study, which graded and ranked 16 globally-prevalent telecom and tech organization grades on their human rights records. Google topped the list, with Axiata and Etisalat rounding out the bottom. “Companies need to do human rights impact assessments,” McKinnon said. “They need to assess how their business impacts on someone’s freedom of expression and privacy and they need to have a process for monitoring this as well as a process for accountability within the company,” adding that businesses “need to be clear to their users about what they collect and what happens to user information,” she said. []

WW – World’s Top Tech Companies Get Failing Grade on Privacy

“According to the most comprehensive assessment to date of their user agreement policies,” the world’s biggest tech companies are not protecting their users’ privacy and freedom of expression. Companies from the U.S., Europe and Asia all received failing grades from a project known as Ranking Digital Rights. None of the companies reviewed offered users appropriate information on privacy and censorship, the New America Foundation think tank survey stated. “There are no ‘winners,’” the group said, adding, “Even companies in the lead are falling short.” Meanwhile, a separate report has found that nine out of 10 of the Internet’s top websites are leaking user data. University of Pennsylvania privacy researcher Tim Libert published the peer-reviewed report, which sought to quantify all the “privacy compromising mechanisms” on the world’s most popular websites. [The Guardian]

WW – Study: Privacy Fears Aren’t Instigating User Action

A Parks Associates study discovered that while 76% of households with broadband “are very concerned about their data security and personal privacy when using connected devices,” only 50% cite interest in their broadband provider’s security options, while 80% don’t even realize that they exist, the firm announced in a statement. “As consumers acquire more connected devices for their homes, the more exposure they feel, either through experience or from hearing about high-profile security breaches in the media,” said Parks Associates’ Patrice Samuels. “As a result, they are seeing high value in security and privacy support either as stand-alone services or through monthly fees.” The reason for the lack of knowledge regarding protective offerings? They “are likely not heavily promoted because they do not generate revenue for the company,” Samuels added. [Full Story]


DAA Issues Video Ad Guidelines; CA AG Releases Location Tracking Tips

The Digital Advertising Alliance (DAA) has released new guidelines for displaying privacy icons in video ads. Ad Marker Implementation Guidelines for Video Ads includes technical specifications for the size and placement of the AdChoices icons in video ads. Unlike the recommendations for display and mobile ads, the DAA has said the icon can be placed in any of the four corners of a video ad. “Given that player formats and the positioning of player controls may vary among video ads, implementing companies may choose alternative corners so as to avoid conflicts in user interaction,” the DAA states in its 12-page release. Meanwhile, California Attorney General Kamala Harris has released consumer tips on mobile location tracking, including an information sheet called,Location, Location, Location: Tips on Controlling Mobile Tracking. [MediaPost]

US – Supreme Court Set to Hear Spokeo Case

The U.S. Supreme Court will take up Spokeo, Inc v. Robins, a case that could have far-reaching implications for privacy class-action lawsuits. “If you have automatic damages for statutory violations,” said U.S. Chamber of Commerce attorney Roy T. Englert, “it is a ticket for class-actions to sue for millions and even billions on behalf of people who didn’t suffer any harm.” However, Marc Rotenberg of the Electronic Privacy Information Center said, “This is no time for the court to make it harder to bring lawsuits against companies” that are profiting off the sale of personal data. The Editorial Board for The New York Times said the justices should let the case proceed. Separately, Google has asked a judge to delay a different privacy lawsuit until after the Supreme Court decides on Spokeo. [Los Angeles Times]


US – EPIC FOIAs Government for Umbrella Agreement Text

The Electronic Privacy Information Center (EPIC) has filed a complaint alleging the federal government is not responding to a Freedom of Information Act (FIOA) request EPIC filed in September to obtain the full text of the so-called Umbrella agreement with the EU. The potential deal between the U.S. and EU would pave the way for data sharing among law enforcement, and hinges on the U.S. government passing the Judicial Redress Act. “The stated aim of the negotiators is to ensure the privacy protections and redress rights afforded to U.S. persons under the Privacy Act of 1974 are available to non-U.S. persons,” EPIC stated in its complaint. “However, the text of the Judicial Redress Act does not support this conclusion. The public release of the text of the agreement is therefore critical to determine the reason for the legislation.” [Courthouse News Service]

US – Facebook Transparency Report

During the first half of 2015, governments requested Facebook account data more than 41,000 times, according to the company’s most recent transparency report. During that same period in 2014, the figure was just over 35,000. Nearly half of the requests came from US law enforcement. Facebook provided requested data on 80% of those cases. [CS Monitor] [NBC News] [Facebook Report]

US – Facebook Transparency Report Shows Uptick in Requests

According to Facebook’s latest transparency report, governments around the world are requesting the company ban more posts and disclose more user data than ever before. During the first half of 2015, 92 countries asked Facebook to takedown 20,568 posts on Facebook, Messenger, WhatsApp and Instagram, more than double what was requested in 2014. During the first half of 2015, governments requested Facebook account data more than 41,000 times, according to the company’s most recent transparency report. During that same period in 2014, the figure was just over 35,000. Nearly half of the requests came from US law enforcement. Facebook provided requested data on 80% of those cases. [CS Monitor] [NBC News] [Facebook Report] [Full Story]

Health / Medical

ONC Unveils 2016 Privacy Plans

In the wake of the Office of the National Coordinator for Health IT’s (ONC) release of its 10-year road map, the agency announced a litany of privacy-centered schemes for the upcoming year. “We have a lot of work planned … reminding people of what HIPAA actually provides,” said ONC CPO Lucia Savage, citing specific goals for the organization “to clarify misunderstandings about HIPAA’s privacy regulations.” She added that “breaking down barriers to information sharing is a top ONC priority for the year ahead.” Savage also disclosed that the agency and the Centers for Medicare and Medical Services and the National Governors Association are teaming up for two separate privacy projects. [Healthcare Info Security]

US – Sensitive Diagnosis Posted to FB Not Grounds for Lawsuit

A Hamilton County Common Pleas Court judge ruled an employee who screenshotted medical records and shared them on Facebook was not “within the scope of her employment” and therefore cannot be sued. The screenshot of the medical record, which disclosed the patient’s “maternal syphilis,” was then taken and published to Facebook group “Team No Hoes,” but the judge argued the action was merely a breach of hospital protocol. “(The hospital) had a policy. It was violated,” said Judge Jody Luebbers. “It’s tragic … but that’s just how I see it.” The plaintiff is expected to appeal, as the ruling was a “close call … decided on a legal technicality,” the report states. [Cincinnati]

US – Senatorial Letter Asks Tough Healthcare Privacy Questions

A bipartisan coterie of senators penned a letter to the Centers for Medicare and Medicaid Service’s Acting Administrator Andy Slavitt and Health and Human Service’s Office for Civil Rights’ Director Jocelyn Samuels, expounding on their frustrations regarding the numerous healthcare data breaches of late and outlining questions they have for the future. “We are concerned that data theft will continue to rise and will result in an increase in medical identity theft,” the letter said. This comes on the heels of the FBI’s Donald Good’s disclosure that BYOD policy implementation is considered the top healthcare security headache, while data from a Forrester study indicates that “the healthcare industry continues to shortchange Americans when it comes to protecting their data.” Meanwhile, an employee’s “retaliatory agenda“ spurred a 16,000-victim Children’s Medical Clinics PHI breach. [NextGov]

US – Brief: Prescription Case Problematic for Privacy

A Litigation Center of the AMA and State Medical Societies amicus brief on the Lewis v. Superior Court of Los Angeles County case indicates that the ruling could have significant privacy implications. The legal proceedings aim to decide if the California Medical Board “infringed upon patients’ constitutional right to privacy when it obtained prescription data without a showing of good cause,” the report states. The brief argues that “there is good reason why federal and state laws treat prescription information with the same level of protection as any other health information,” adding that “the DoJ has not offered an acceptable justification for ignoring the governing laws.” Meanwhile, Verizon’s first-ever Protected Health Information Data Breach Report reveals that most healthcare data breaches aren’t as “sophisticated” as one would think. [AMA Wire]

WW – Contraceptive Computer Chip May Hit the Market in 2018

Women may have a new option in birth control if a contraceptive computer chip hits the market in 2018 as planned. The chip, which has been backed by Bill Gates and will be submitted for pre-clinical testing in the U.S. next year, is implanted underneath the skin and can be controlled by a wireless remote. It releases a small dose of estrogen every day for up to 16 years. MIT’s Robert Farra said secure encryption prevents a third party from “trying to interpret or intervene between the communications,” and the next challenge is ensuring the device can’t be activated or deactivated without the woman’s knowledge. [BBC News]

US – Humans Are Data Security’s Greatest Threat

In a recent report from the Ponemon Institute, 70% of the healthcare organizations and business associates surveyed identified employee negligence as a top threat to information security. Healthcare organizations face big challenges in plugging the human security gap. The biggest risk is a lack of awareness on the part of users. [IAPP]

Horror Stories

US – OPM in More Trouble After Contracting Gaffe

The beleaguered Office of Personnel Management (OPM) confirmed that a $20 million contract for offering ID theft protection to the victims of its summer hacking scandal was a breach of both the agency’s policies and the Federal Acquisition Regulation. In a letter to acting OPM Director Beth Cobert, the OPM’s Inspector General Patrick McFarland indicated that “investigators turned up ‘significant deficiencies’ in the process of awarding the contract to Winvale Group,” the report states. “Because of the missteps identified by the IG, OPM’s procurement shop selected the wrong contracting vehicle,” the report continues. However, “Winvale responded to a posting on, just like every other contractor that submitted a bid,” said a spokesperson for the company. “Winvale had no control over or insight into the bidding process.” [The National Journal] SEE ALSO: [Cobert Nominated for Official OPM Directorship] and [Security Tech Adviser Comes to OPM]

US – Cox Communications Settles with FCC for $595,000

The Federal Communications Commission’s (FCC) Enforcement Bureau entered into a $595,000 settlement with Cox Communications for failing to adequately protect the personal data of its subscribers when the company’s system was breached in 2014, according to an FCC press release. The settlement is the first privacy and data security enforcement action by the FCC with a cable operator. “Cable companies have a wealth of sensitive information about us, from our credit card numbers to our pay-per-view selections,” said FCC Enforcement Bureau Chief Travis LeBlanc. “This investigation shows the real harm that can be done by a digital identity thief.” The settlement will also require Cox to notify affected customers, provide one year of ID theft service and “adopt a comprehensive compliance plan” with annual system audits. [Full Story]

US – $90,000 Settlement in Connection with Laptop Theft

The state of Connecticut will receive $90,000 from EMC and Hartford Hospital after the 2012 theft of an unencrypted laptop with nearly 9,000 patient records was left unrecovered. “Resolving things by agreement was the best course for all involved,” an EMC spokeswoman said. “The agreement will, however, not be considered as an admission by EMC and the hospital of any alleged violations in connection with the laptop incident,” the report states, adding that while “the laptop was not found, the hospital has held that there hasn’t been any evidence of misuse of the information.” [PCWorld]

US – Comcast Resets Stolen User Passwords, Says Systems Not Breached

Account information for 200,000 Comcast customers was found for sale on the Dark Web. The telecommunications company says that its systems were not breached, and that it will reset the affected passwords. [Washington Post] [ZDNet] Meanwhile, “teenage hacktivist group” Crackas With Attitude (CWA)  leaked a list that they say contains the personal details of more than 2,000 government officials, a move that a member of the group “claimed … (was) in support of Palestine.” [Time]

Identity Issues

WW – Real Name Policy Revised by Facebook

Facebook has announced new policies regarding its “authentic names“ requirements after mounting criticism from civil rights groups like the American Civil Liberties Union and the Electronic Frontier Foundation. Facebook has pledged to permit users to “provide more information about their circumstances,” Facebook VP of Growth Alex Schultz said in a statement. “It will help us better understand the reasons why people can’t currently confirm their name, informing potential changes we make in the future.” Schultz also announced Facebook’s creation of “a new version of the profile reporting process that requires people to provide additional information about why they are reporting a profile,” which aims to curb trolls “falsely flagging profiles for using a fake name,” a burgeoning form of harassment. [The Guardian]

US – Duplicate SSN Nightmare Not a Rarity

Starting with two women who share a birthday, a similar name, state residency and social security number, the duplicate data phenomenon “is not as uncommon as you might think … In fact, some 40 million SSNs are associated with multiple people, according to a 2010 study by ID Analytics,” the report continues. As such, “you should be reviewing those reports to see if there’s activity associated with your identity that you don’t recognize,” said Tripwire’s Travis Smith. “Either of these women could probably have seen the problem earlier if they had been doing that.” [Computer World]

US – New Firm Promises Highly Targeted Election Ads

Xaxis Politics, the product of a WPP and Haystaq alliance, will employ targeted ads to get the attention of voters before the 2016 U.S. presidential elections. “We haven’t seen anyone else doing (online political targeting) with this level of granularity,” said Xaxis CEO Brian Gleason, who added that the tool permits “laser-like targeting” of voters. The system should be used wisely, analysts caution. If “Internet users perceive the tailored ads as too intrusive or creepy,” the report states, their use “could absolutely backfire,” said Borrell Associates’ Kip Cassino. [Financial TImes]

US – Anonymous Unhoods 1,000 KKK Members

Hacktivist group Anonymous made good on its threat to out the identities of Ku Klux Klan (KKK) members and sympathizers, releasing 1,000 names to the internet for netizens to do with as they will. “We hope Operation KKK will, in part, spark a bit of constructive dialogue about race, racism, racial terror and freedom of expression, across group lines,” Anonymous said. “We consider this data dump as a form of resistance against the violence and intimidation tactics leveraged against the public by various members of Ku Klux Klan groups throughout history.” [ZDNet]

US – OPM to Work to Make ID Protection a Basic Benefit

In its freshly published cybersecurity strategy, the Obama Administration encouraged the Office of Personnel Management (OPM) to include identity theft protection as a standard employee perk. The strategy “directs OPM within three months to review options and develop and deliver to (Office of Management and Budget) recommendations for making identity protection services a standard federal employee benefit,” and the OPM is listening. “Based on the response by individuals impacted by the personnel records incident there appears to be significant interest in these services by federal employees,” said an OPM spokesperson. “OPM continues to work with an interagency team to develop and deliver recommendations to OMB for making identity protection services a standard federal employee benefit.”[NextGov]

Internet / WWW

US – Hughes: Guidelines a Positive Step for OMB

The Office of Management and Budget (OMB) opened its revisions to guidelines for IT management, and while the inclusion of privacy training mandates garnered raised eyebrows from those in the IT field, some in the privacy community are impressed. The updates are a “sophisticated reflection on how privacy has evolved and arrived in today’s modern organization,” said IAPP CEO Trevor Hughes. These best practices mean that everyone who interacts with a company’s data “needs to understand enough about data management to not make a stupid decision,” he said. “Everyone who touches data is a risk factor with regard to privacy.” The OMB accepts comments on the revisions until November 20. [Gov Exec]

Law Enforcement

US – Supreme Court Won’t Hear Phone-Tracking Case; Lawmakers Want Answers on Gov’t Stingray Use

The U.S. Supreme Court has declined to hear a case on whether the government needs a warrant to collect cellphone location information. The case involves a man convicted of a string of robberies whose location was tracked via his phone. His lawyers argue that’s a violation of his privacy. Meanwhile, Rep. Jason Chaffetz (R-UT) has introduced a bill in the House of Representatives that would require law enforcement to obtain a warrant before using stingray surveillance, and a group of lawmakers—including Chaffetz—has sent a letter to 24 government agencies asking for their policies on using the technology. [ComputerWorld]

US – ACLU: Baltimore Riots Were Surveilled by Police Planes

According to documents obtained by the ACLU, the FBI deployed at least 10 flights of surveillance planes equipped with surveillance technology to monitor the riots in Baltimore, MD, earlier this year. Obtained under Freedom of Information Act filings, logs indicated more than 36 hours of flights—some of them carrying Baltimore police officers—occurred during the protests over the death of Freddie Gray while in police custody. During a Congressional hearing last week, FBI Director James Comey acknowledged the surveillance occurred upon request by local authorities but didn’t provide details on the permissions process. [Reuters]

US – New Bill Would Require Law Enforcement to Obtain Warrants Prior to Stingray Use

A new bill in US House of Representatives would require law enforcement to obtain warrants prior to using stingrays. The Cell-Site Simulator Act of 2015, also known as the Stingray Privacy Act, also requires transparency about the technology to be used by those seeking the warrant. The Justice Department has a policy in place requiring warrants for the surveillance technology’s use; this bill aims to extend that requirement to law enforcement at all levels in the country. [Wired]


US – License Plate Reader Data Exposed

The Electronic Frontier Foundation learned that more than 100 automated license plate recognition (ALPR) cameras were exposed online. In some cases, the camera live streams could be accessed. ALPR systems capture images of license plates and alert authorities when they spot a plate on the “hot list.” The data are collected and stored even if they belong to cars that have nothing to do with criminal activity. [EFF]

WW – New Tor Chat Tool

Tor has launched a chat tool that lets people communicate over the Tor network and hide their locations. Tor Messenger uses encryption by default. It cannot log chats. Tor Messenger is currently available to the public in beta. [BBC] [Ars Technica] SEE also: [Tor Messenger Released]


IS – Supreme Court Rules Against RTBF

The Israeli Supreme Court declined to implement a right to be forgotten under Israel’s privacy laws. The decision overturned an order by the Directorate of Courts, an agency overseeing court administration, to legal databases to prevent indexation of court decisions by online search engines, such as Google. The Directorate cited litigants’ right to privacy in cases ranging from family law to personal injury, including quoting the Court of Justice of European Union decision in the Costeja case. The Supreme Court weighed the balance between the right to litigants’ privacy against the public interest in open court records, holding that clear legislative mandate was required to limit access to judicial data. The ruling stressed that under the Directorate’s order, court records would remain accessible by lawyers who paid to subscribe to legal databases, unjustly handicapping members of the public who do not typically subscribe to such services and access court data exclusively through the open web. The Court suggested that the legislature could protect litigants’ privacy by requiring courts to suppress sensitive information in judgments and, in appropriate cases, publish cases under pseudonymous litigant names. The decision, HCJ 5870/14 Hashavim H.P.S. Business Data v. Directorate of Courts, in Hebrew, is available at the “Full Story” link. [Full Story]

Online Privacy

WW – New Privacy Settings Announced by Google

Google announced its addition of both an advanced “about me” page and Privacy Checkup system, which allows users to have greater control of their online privacy. The “about me” page collects the user’s online information and personal details in one space, from which he or she “can directly jump into each section and delete or change the information to control what people see,” the report states, while the “privacy checkup” takes the user on a “step-by-step tour of (his or her) privacy settings one section at a time.” Meanwhile, the 3rd U.S. Circuit Court of Appeals threw out the class-action suit that alleged Google had “violated federal wiretap and computer fraud laws by exploiting loopholes“ in Internet browsers. [CNET]

WW – Report: Six in 10 Don’t Download Apps Due to Privacy Concerns

A new Pew Research Center report looks at more than one million apps available in the Google Play Store and evaluates the kinds of permissions the apps require for use, according to a press release. The report found six-in-10 users decided not to follow through with a download once they realized how much personal data the app would collect, and 43%uninstalled the app after downloading it for the same reason. In addition, nine-in-10 users surveyed said knowledge of the kind of personal data an app collects is “very” or “somewhat” important to them in deciding whether to download. [Pew Research]

WW – Mozilla Releases Tracking Protection

Mozilla announced the release of a new feature in Firefox private browsing called “tracking protection.” The feature allows users to control the data third parties receive from them online. It blocks data-collecting content including ads, analytics trackers and social share buttons across sites. The feature also allows users to control data-collecting content on a per-site basis. [Full Story]

WW – IoT’s Unspoken Issue: MAC Addresses

Media access control (MAC) addresses present a severe privacy vulnerability in Internet of Things (IoT) devices, “anti-surveillance specialist” Adam Harvey argued at a Digital Catapult-hosted speech. “If we do this wrong we’re really screwed,” Harvey said. “The MAC address is such a big thing because so many devices use it. Anything with a networking card has a MAC address … We are about to manufacture and deploy billions of devices and we don’t even know what the problems are yet.” Potential manipulation is a concern. “If I were malicious,” he said, “I could construct a highly targeted phishing attack by saying, ‘I see you’ve been to the Grand Hotel, did you enjoy your stay there?’“ [Computing]

US – FCC Will Not Regulate Do-Not-Track Requests

The Federal Communications Commission (FCC) rejected a petition requesting it require companies to honor consumers’ do-not-track requests. The Consumer Watchdog petition wanted the FCC to “initiate a rulemaking proceeding requiring ‘edge providers’ (like Google, Facebook, YouTube, Pandora, Netflix and LinkedIn) to honor ‘Do-Not-Track’ requests from consumers.” The consumer advocacy group wanted the agency to use Title I and its Section 706 authority to regulate “information services.” The FCC said that when it reclassified broadband as a common carrier service, it would not “regulat(e) the Internet, per se, or any Internet applications or content.” [Ars Technica]

Other Jurisdictions

EU – New LIBE Committee Report on Data Protection in China

As part of a request by the LIBE Committee, the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs commissioned and released an in-depth analysis called “The data protection regime in China.” Co-authored by Prof. Paul de Hert and Vagelis Papakonstantinou, the analysis states, “One cannot talk about a proper data protection regime in China, at least not as it is perceived in the EU. The international data protection fundamentals that may be derived from all relevant regulatory instruments in force today … are not unequivocally granted under Chinese law.” The report also includes a list of policy recommendations for China. [Full Story]

EU – Microsoft to Open Data Centers Overseas

Microsoft announced it is creating two data centers in Germany, putting data out of the U.S. government’s reach. The facilities are controlled by T-Systems, a Deutsche Telekom subsidiary, which will be the “data trustee.” Microsoft employees won’t be able to access the data, which is significant, the report states, because “even though Deutsche Telekom has sizeable operations in the U.S., as a non-American company it is not legally subject to the same U.S. data-sharing rules.” Microsoft lawyers say the legal arrangements are “bulletproof” because if the company doesn’t even have keys to the building, “the U.S. government can hardly demand that it open the doors.” [Full Story]

EU – German Microsoft User Data to Be Stored in Germany

Microsoft will employ data centers in Magdeburg and Frankfurt, Germany, to hold the data of German customers after European critics conveyed surveillance fears. “These data centres will ensure that customers’ data remains in Germany and that a German company controls access to data in accordance with German law,” said Microsoft CEO Satya Nadella. “Microsoft sees cloud services as an opportunity for significant future growth as sales of its flagship operating system decline,” the report adds. [The Province]

RU – Russia to Force Twitter to Store Data In-Country

Russian authorities have allegedly told Twitter that it must store Russian users’ data in the country or face the potential of being blocked and fined. Russian Internet regulator Roskomnadzor issued the warning, even though in July it had said Twitter would not have to comply with Russia’s new data localization law. Roskomnadzor told Financial Times that the situation for Twitter has now changed. Roskomnadzor head Alexander Zharov said Twitter “changed their user agreement some months ago. And if you read that, people must provide a set of metadata, which in our understanding as a whole counts as personal data and allows to identify an individual.” [Radio Free Europe]

WW – Other Privacy News

The current opt-out-as-cybersecurity tack taken by the Senate regarding health records is “dangerously naïve” according to the Australian Privacy Foundation. It further alleges that the Senate “ignored expert advice by changing the e-health records to be opt-out,” the report states.

At the Chemical Watch Enforcement Summit, Dr. Knoell Consult’s Deirdre Lawler disclosed that select EU “data-sharing agreements … are being amended to allow companies in South Korea to use EU data to register chemicals’”

The Trans-Pacific Partnership’s full contents have been revealed, and advocacy groups like the Electronic Frontier Foundation are not impressed.

The Attorney-General’s Department has announced that the Australian government will soon issue an exposure draft of its data breach notification legislation.

In Serbia, the Commissioner for Information of Public Importance and Personal Data Protection has issued a press release that strongly criticizes a new draft Law on Personal Data Protection prepared by the Ministry of Justice, seeking “a greater degree of detail.,.

Indonesia could see its first comprehensive data privacy law “as soon as mid-February 2016,” according to the Ministry of Communications and Information.

Privacy (US)

US – 200 Companies Support Student Privacy Pledge

The Future of Privacy Forum (FPF) and Software & Information Industry Association together have announced that 200 companies have now agreed to support the Student Privacy Pledge. The pledge, which also has support from President Barack Obama, the National Parent Teachers Association and the National School Boards Association, is legally binding and can be enforced by the Federal Trade Commission and state attorneys general. “Companies that serve students understand that they must maintain the trust of parents, students and teachers,” said FPF Executive Director Jules Polonetsky. “Although many states are passing new laws to govern student privacy, the pledge plays a key role in setting a national standard for protecting student data and ensures companies are aware of the central restrictions in statutes such as FERPA and COPPA.” [Student Privacy Pledge]

US – FTC Complaint Against LabMD Dismissed

Seven years after the alleged data breach initially occurred, the FTC Chief Administrative Law Judge, Michael Chappell, ruled on Friday to dismiss the FTC’s complaint alleging that cancer-testing laboratory LabMD failed to provide reasonable and appropriate security for sensitive personal data. The case currently represents the first time a company has challenged an FTC complaint brought on the grounds of unreasonable information security and won. The FTC’s enforcement arm is considering whether to appeal. [Full Story]

US – Appeals Court Decision Could Reset Wiretap Act

Google’s recent victory in the 3rd U.S. Circuit Court of Appeals regarding how it used data and its relation to the Wiretap Act was won with a cautionary admonition from the court: “Merely tracking the URLs someone visits can constitute collecting the contents of their communications, and that doing so without a warrant can violate the Wiretap Act.” “This is a pretty big deal for law enforcement,” said Stanford’s Jonathan Mayer. “The punchline is that if the FBI or any law enforcement agency wants to look at your web history, they’ll have to get a warrant for a wiretap order,” he said. [Wired]

US – BBB Takes Companies to Task for Failing Privacy Scores

The Better Business Bureau (BBB) found advertising companies Outbrain and Gravity non-compliant with its privacy and advertising edicts after both organizations failed to attach the AdChoices informational label on advertisements as a form of “enhanced notice.” In response, Outbrain said “it was aware of some problems with its privacy notifications, and had already contacted the publisher of one site that incorrectly implemented the widget,” the report states, promising that it “will continue to take a proactive approach to privacy and disclosure compliance.” Gravity has also “since modified its widget.” [Media Post]

US – Study: MA Student Privacy Lacking

An American Civil Liberties Union of Massachusetts report found that student privacy is lacking, with policies that “allowed schools to inspect school-provided devices without any notice or consent of either the students or parents.” “These kids are going to be adults someday,” said the ACLU of Massachusetts’ Kade Crockford. “If they have learned in schools that they are not to be trusted, that they have no right to privacy … on the Internet or on their iPods or laptops or phones, they may very well believe that this is how things work.” [CSM Passcode]

US – Advocates Call for Data Broker Regulation

Experts at a Senate Judiciary Committee hearing called for regulation of companies that collect and sell massive amounts of consumer data. In opening remarks, Sen. Al Franken (D-MN), who has introduced a bill that would regulate data broker practices, pointed to the myriad data breaches in recent years as evidence that more must be done to protect citizens’ data. The World Privacy Forum’s Pam Dixon testified that it’s “reckless and downright dangerous” not to protect data stored by data-brokers, adding the danger of big data is “what data doesn’t exist can be inferred. It creates an extraordinary network of information flows about ordinary consumers.” [Courthouse News Service]

US – EFF Voices TPP Concerns

The Trans-Pacific Partnership (TPP) continues to garner criticism from privacy groups after the full text of the document was released last week. “We don’t want to see the Internet become balkanized,” said the Electronic Frontier Foundation’s (EFF) Maira Sutton. “But having these discussions decided in a trade agreement is exactly the wrong place to do it. There’s been no security researchers at the table, no public interest groups that have been following this for a long time … trade agreements are not the place to decide digital policy.” [The Hill]

US – Privacy Groups Nonplussed by TPP

The Trans-Pacific Partnership’s (TPP) full contents have been revealed, and advocacy groups like the Electronic Frontier Foundation (EFF) are not impressed. The TPP “upholds corporate rights and interests at the direct expense of all of our digital rights,” the EFF said. Of particular concern is “provisions in the agreement that require real names and addresses associated with Internet domains such as .us, .ca or .au to be registered with the home government,” the report states. “This is dangerous especially for the ability of opposition groups in repressive countries to voice their concerns online without fear of violent retribution,” Fight For the Future (FFTF) said. President Barack Obama fired back, arguing that “if we don’t pass this agreement—if America doesn’t write those rules—then countries like China will.” [Full Story]

US – Washington Announces Privacy Guide for Residents

Washington State Gov. Jay Inslee has announced a new digital privacy protection guide and website to help state residents be aware about cyber privacy, protecting personal data online and the state’s data collection policies and practices, according to a press release. The state’s new website and privacy guide gives residents tips and strategies. Chief Privacy Officer Alex Alben said he hopes both give “citizens a fuller sense of both personal privacy rights and of the state’s commitment to ensuring our state government does everything in its power to safeguard personal data.” [Full Story]

US – Twitter Moves to Dismiss Link Lawsuit

Twitter fires back after a proposed class-action lawsuit alleges the company “surreptitiously eavesdrops on its users’ communications.” Plaintiffs argue that Twitter’s link shorthand has “traffic directed through its own system so as to negotiate better advertising rates,” a practice they argue is illegal under the Wiretap Act. Twitter argues in its motion to dismiss that its methods are “routine business conduct” that aim to “prevent spam and malware,” that the action requires the consent of users and that the process is outlined in its terms of service and privacy policy. [The Hollywood Reporter]

US – Other Privacy News

Google’s recent victory in the 3rd U.S. Circuit Court of Appeals regarding how it used data and its relation to the Wiretap Act was won with a cautionary admonition from the court: “Merely tracking the URLs someone visits can constitute collecting the contents of their communications, and that doing so without a warrant can violate the Wiretap Act.“.

In a bipartisan letter to the Centers for Medicare and Medicaid Services, senators ask tough healthcare privacy questions, expounding on their frustrations regarding the numerous healthcare data breaches of late and outlining questions they have for the future.

Prosecutors say they know who hacked JPMorgan Chase last year . The three men responsible were indicted for separate crimes in July but are also responsible for the hack affecting 83 million customers’ personal data.

An amicus brief on the Lewis v. Superior Court of Los Angeles County case indicates that the ruling could have significant privacy implications,. The legal proceedings aim to decide if the California Medical Board “infringed upon patients’ constitutional right to privacy when it obtained prescription data without a showing of good cause.”

The U.S. Supreme Court has declined to hear a case on whether the government needs a warrant to collect cellphone location information. The case involves a man convicted of a string of robberies whose location was tracked via his phone.

The Federal Communications Commission’s (FCC) Enforcement Bureau entered into a $595,000 settlement with Cox Communications for failing to adequately protect the personal data of its subscribers when the company’s system was breached in 2014, according to an FCC press release.

Sen. Al Franken (D-MN) has said he will reintroduce a bill that would ban stalking apps.

Privacy Enhancing Technologies (PETs)

WW – Yik Yak as Anonymous as It Seems?

Arrests tied to racially fueled threats posted on social media app Yik Yak have called the platform’s boasts of anonymity into question. The app is considered to be “by far the most widely adopted, anonymous, location-based applications at schools,” the report states. According to Yik Yak’s policies, however, it “can disclose to police each user’s Internet protocol address and GPS coordinates, along with details about the phone or tablet,” the report continues. While a spokesperson for the company would not disclose specific information about the frequency with which authorities ask for Yik Yak data, she acknowledged “the company works with authorities” and that in times of emergency the company doesn’t require the usual legal license to access data. [NBC News]

US – ROI Calculator Aims to Break Down Automation Worth

TRUSTe unveiled its return on investment (ROI) calculator for those unsure if bankrolling in “privacy automation technology” is the right step for their company, the organization announced in a statement. On TRUSTe’s, “visitors can read up on privacy assessment best practices or guidelines for evaluating privacy automation ROI,” as well as access the ROI calculator. The tool has “default values for each field based on our own research but each field is customizable so that users can tailor the ROI calculations to their own use case.” [Full Story]

WW – New Risk-Assessment Tool Released

Privacy Analytics has released a privacy-risk assessment tool to help organizations evaluate their data-sharing practices, according to a press release. Risk Monitor identifies gaps in existing practices and uses peer-reviewed algorithms and methodologies to look at organizations’ current risk for exposing personal health information or personally identifiable information based on “the context and intended use of each shared data set.” Pamela Neely Buffone, vice president of product management at Privacy Analytics, said organizations are looking to maximize the usefulness of their data assets and need to have “responsible privacy measures” to ensure compliance and “the lowest possible levels of legal, financial and reputational risk.” [Full Story]


US – UMass Awarded Grant To Study “Smart Building” Privacy

The National Science Foundation granted the University of Massachusetts Amherst $486,524 for a research project aimed “to enhance privacy in smart buildings and homes,” the university announced in a statement. “It’s very easy to know whether someone’s home or not by following energy use data, so that might be considered sensitive information,” said the University’s David Irwin, one of the project directors. “On the other hand, energy companies can save you money by knowing that same information. They can charge you less for electricity in off-peak hours, for example. One thing we’ll be studying is how to preserve individual privacy while still allowing utilities to improve their operations.” [Full Story]


WW – Study Aims to Eradicate the Password

Tech companies Galois, Inc., its subsidiary Tozny, GlobeSherpa and IOTAS have united to develop an alternative to the password, a project the National Institute for Standards and Technology so believes in that it awarded Galois $1.8 million for its work. The goal is to build “a behavior-based authentication system dedicated to finding a happy medium between the need to validate users while also guarding their privacy,” the report states. It would permit “new ways for user information to be shared across organizational boundaries in a way that the user is in control over how the data (is) shared, what is shared, with who and when,” said Tozny founder Issac Potoczny-Jones. [FedScoop]

US – Audit Again Finds IRS Security Lacking

A Government Accountability Office audit found the Internal Revenue Service’s (IRS) security systems to be flawed enough to put taxpayer information in danger, the second recent study to produce negative results. The audit discovered that the agency “doesn’t have sufficient control over its financial reporting system,” with some systems without an update in four years, the report states, adding that the auditors discovered vulnerabilities that the IRS itself hadn’t unearthed. In response, IRS Commissioner John Koskinen acknowledged that “challenges remain,” but said the agency had “established its ability to consistently produce accurate and reliable financial statements.” [NextGov]

US – Study: Not One U.S. State Prepared for Cyber Threats

A study by the Pell Center for International Relations and Public Policy at Salve Regina University found a “troubling lack of preparedness to deal with cybersecurity threats among a vast majority of state governments.” While all 50 states are forging ahead and investing in improvements to broadband communications, none of them “managed to meet all the evaluation criteria that Pell used to measure their cyber readiness,” said Francesca Spidalieri, senior fellow for cyber leadership. The study looked at whether each state had a cybersecurity plan, formal incident response capabilities, data breach notification and threat-information sharing mechanisms, the report states. [DARKReading]

Survey Finds Business Unprepared for Hacks

A new ISACA survey of 600 individuals in the cybersecurity fields found that while 74% were expecting to be hacked, only 67% felt “prepared to respond.” Cyberattacks in the form of advanced persistent threats (APT) “have become the norm,” said ISACA CEO Matt Loeb. “All organizations, regardless of their size, where they’re located or what industry they’re in, have to be prepared to deal with these things … There isn’t anybody that isn’t vulnerable. So when we talk about these things, it’s not a matter of if I’m going to be attacked, it’s a matter of when.” [Associations Now]

US – Conficker Found on Police Body Cameras

There are reports that malware known as Conficker has been found on police body cameras supplied by Martel Electronics. When the cameras were connected to computers, Conficker immediately tried to infect the machines. Once it had infected a machine, it tried to spread to other machines on the same network. Conficker was first detected in late 2008. [Ars Technica] [The Register] [ZDNet]

WW – Covington: Effective Log Management Can Prevent Breaches

In a blog post, Robert Covington discusses “the importance of good log management to prevent data breaches.” Covington cites such regulations as the Gramm-Leach-Bliley Act, Sarbanes Oxley, HIPAA and the Federal Information Security Management Act as all containing provisions on log requirements. But it’s not an easy thing to do, Covington writes. It requires sifting through a lot of records to find the ones that matter, and, in addition, for logs to matter during a forensic investigation, there have to be proper controls ensuring logs can’t be altered or deleted. Covington offers tips on how to be effective given the inherent headaches. [Computerworld]

WW – NIST Issues Advice on Whitelisting

The US National Institute of Standards and Technology (NIST) published the Guide to Application Whitelisting to help organizations implement the technology. Whitelisting is the number one mitigation on both the NSA’s Top Ten and the Australian Signals Directorate’s Top Four Strategies to Mitigate Targeted Cyber Intrusions. [NextGov] [ComputerWorld] [The Register] SEE ALSO:


US – Federal Judge Rules NSA Program Illegal; Transition Will Happen

A federal judge has ruled that the NSA bulk collection of U.S. citizens’ phone records is illegal. The impact of the ruling, however, will be limited because the USA FREEDOM Act, which mandates a change to the NSA program, takes effect on November 29. U.S. District Court Judge Richard Leon sided with legal activist Larry Klayman, stating, “This court simply cannot, and will not, allow the government to trump the Constitution merely because it suits the exigencies of the moment.” Meanwhile, in a memo sent to relevant committees in the U.S. Congress, the NSA stated that it “has successfully developed a technical architecture to support the new program” in time for the November 29 deadline. [The Wall Street Journal] [The Hill] [Wired] [DC Judge Richard Leon’s opinion] [The Register] SEE ALSO: [James R. Clapper, Director of National Intelligence v. Amnesty International USA – Appeal – Supreme Court of the United States]

WW – Inaudible Sounds Being Used to Track Users Across Multiple Devices

High-frequency sounds are being used to track people’s behavior across multiple devices. The sounds, which are inaudible to humans, are embedded in television commercials and online advertisements. Tablets and smartphones detect the sounds. The US Federal Trade Commission (FTC) held a Cross-Device Tracking workshop on Monday, November 16, to address the issue. [Ars Technica] []

US – Immigrant Ankle Bracelets Unwelcome

After a federal ruling found President Obama’s detention of undocumented immigrants to be illegal, the solution was to release the detainees and keep tabs on them via ankle bracelets, a choice that detractors argue is “not only stigmatizing, but also unnecessary.” While the government maintains that the monitors are “an economical alternative to detention,” those who wear the bracelet see it less of a cheap fix and more of an unwelcome Big Brother. “It’s like they make us free, but not totally free,” said Grace, an immigrant forced to wear the monitor. “It’s the same psychological game as detention. They aren’t freeing us totally. It’s, ‘If you break a rule, if you don’t tell us you’re leaving, we’ll put you in detention again.’” [The New York Times]

US – Biggest Breach of Attorney-Client Privilege in U.S. History?

The Intercept revealed it has received a massive trove of phone recordings from prisons and jails across the U.S. Obtained anonymously from a hacker via SecureDrop, the materials comprise more than 70 million records of phone calls and links to recorded conversations, placed by inmates to at least 37 states between December 2011 and ending in the Spring of 2014. The data was taken from the country’s leading provider of prison phone services, Securus Technologies. Highlighted in the breached material are approximately 14,000 recorded conversations between inmates and their attorneys, “a strong indication that at least some of the recordings are likely … privileged legal communications,” the report states. “This may be the most massive breach of the attorney-client privilege in modern U.S. history,” said ACLU National Prison Project Director David Fathi. [Full Story]

Telecom / TV

US – Vizio Sued Over Smart TV Data Collection, Sharing

A class-action lawsuit has been filed against Vizio “alleging that its use of data from smart TVs violates both federal and California state law.” The suit alleges Vizio doesn’t sufficiently protect the data it collects and shares via users’ smart TVs, in violation of the Video Privacy Protection Act. The suit also claims the company misled users about the way in which the collected data would be used. The suit follows news a hacker was able to gain access to a user’s home network via a Vizio smart TV. Vizio has not yet commented on the suit. [Consumer Reports]

US – TV, IP Address Tracking Product Raises Privacy Concerns

A report from ProPublica raised privacy concerns about television maker Vizio’s consumer-tracking policies, including its ability to track viewing habits and share such data with third parties to gain a larger picture of what those consumers do on their mobile devices. Vizio’s “Smart Interactivity Program” is the default for approximately 10 million users and combines viewing behavior with the user’s IP address. A Vizio spokesperson said that the company’s mining program is part of a “revolutionary shift across all screens that brings measurability, relevancy and personalization to the consumer like never before.” The company also said it shares “aggregate, anonymized data” with third parties to “make better-informed decisions” about content and advertising, the report states. [The Washington Post]

US Legislation

US – Bill Pushes for Auto Cybersecurity Frameworks

Rep. Ted Lieu (D-CA) introduced the Security and Privacy in Your Car Study Act of 2015, a bipartisan bill that would mandate the National Highway Safety Transportation Administration conduct a study to help determine “framework recommendations for vehicle cybersecurity” over the course of a year. “Americans have a right to drive cars that are safe and protected from hackers. Frankly, without adequate protections, a hacker could turn a car into a weapon,” Lieu said. The act “is a first step in bringing industry, advocates and government together to strike a balance between innovation and consumer protection to ensure that car navigation, entertainment and operating systems are safe and the data gleaned from such systems kept private.” [Fed Scoop] See also: [Ford: Car Data is “Your Data”] [

US – Insurance Company Releases Data-Collecting Driving App

In 2014, Allstate Insurance developed a usage-based insurance program to collect data on users’ driving behaviors. It says 820,000 customers participate in “Drivewise” and has now launched Drivewise Mobile, which collects the same kind of information—breaking, speed, etc.—making it the first major insurer to collect such data through a smartphone app. Allstate’s Ginger Purgatorio, vice president of the Drivewise program, says while the company had to deal with privacy concerns on data collection, customers are now accustomed to companies collecting their data if it means a benefit to them. “They’re willing to provide information to get that value,” she said. [CSO Online]

US – Franken Reintroduces Ban on Stalking Apps

Citing a Good Morning America report on “apps that can secretly track your every move“ Sen. Al Franken (D-MN) has said he will reintroduce a bill that would ban stalking apps. “My commonsense bill will help a whole range of people,” he said in a statement, “including survivors of domestic violence.” The Location Privacy Protection Act would require apps to obtain consumer permission before collecting location data and would require consent before location data is shared with a third party. [Broadcasting & Cable]

US – Other Legislative News

A Florida legislator has proposed a new law that would provide recourse for victims of drone accidents, allowing them “to recover costs from the owner and operator of a drone if the device ‘was a substantial contributing factor’ in causing the damage.”

The U.S. House Energy and Commerce Health Subcommittee has advanced a mental health reform bill that would alter HIPAA to allow “caregivers and family members to have more information about a mentally ill person’s care.”

U.S. Rep. Jan Schakowsky (D-IL) has submitted a bill to create federal data security standards in hopes that the recent U.S.-EU Safe Harbor invalidation “will spur Congress to action.”

Florida lawmakers have submitted a new batch of privacy legislation that would create exemptions to public records law, “ranging from topics involving substance abuse to cell-phone tracking’”

Maine’s drone privacy law has been in effect for a month.



01-15 October 2015


EU – French: Fingerprints, Facial Scans, Should be Required at EU Border

French authorities want fingerprint and facial scans of everyone entering or leaving the EU. The proposal from the French delegation came as the European Commission puts more pressure on interior ministers to adopt its so-called “smart borders” package. The Commission plan is to set up a digital dragnet to monitor all non-EU nationals entering and exiting the EU. According to the Commission, the programme is needed to deal with a huge increase in people coming to and from the EU. It predicts that air border crossings could increase by 80% to 720 million in 2030. “This will result in longer queues for travellers if border checking procedures are not modernised in time,” warns the Commish document. But hot on the heels of their own version of the Patriot Act, France (PDF) wants to “broaden the scope of the smart borders package for all travellers, also including European nationals”. The scheme was first proposed two years ago, but has been revived along with other security surveillance schemes such as PNR. Currently border checks for the Schengen area are based on passport visa stamps. There is no pan-European database recording travellers’ entries or exits. This makes it difficult for authorities to detect “overstayers” says the Commission. [The Register]

WW – Facial Recognition Coming to ATMs

China Merchant Banks are employing facial recognition software in nine Shenzhen-based ATMs, phase one of a project that aims to install the system in 12,000 ATMs across the country by the end of the year. While facial recognition is just a part of a three-step verification process, critics are worried that the technology could still permit privacy gaffes to occur. Will the software mean “identical twins can access each other accounts easily?” asked one detractor on Weibo. The privacy concerns haven’t stopped other organizations, however, with companies like Alibaba and MasterCard set to unveil their own facial-recognition systems for finance-related ventures, the report states. [South China Morning Post]

CA – Royal Bank Adopts Voice-Recognition Technology to ID Customers

Following a pilot program last summer, Royal Bank (RBC) is rolling out “voice biometrics” technology. The service, which will require customers to opt in, will allow the bank to identify customers by the sound of their voice rather than by answering security questions or entering a password. RBC says it’s the first company to implement such a technology, which uses more than 100 characteristics to identify the customer, such as pitch and accent, the report states. Manulife employed a similar technology earlier this year. “It’s easy to pick up a piece of mail and look at someone’s confidential information, but you can’t steal a voice,” said a Manulife executive. [The Canadian Press]

US – Dismiss Our Biometrics Suit, Facebook Asks

Facebook has asked U.S. District Court Judge James Donato to dismiss a suit alleging its photo-tagging service violates biometric privacy laws. “The social networking service argues that the Illinois Biometric Information Privacy Act doesn’t prevent companies from storing photos of faces or information gleaned from those photos,” the report states. Facebook contends the law “only applies to faceprints that derive from in-person scans as opposed to photos,” the report continues. “Because plaintiffs’ claims rest entirely on information derived from photographs, their complaint should be dismissed with prejudice,” Facebook said in its filing papers. [Media Post]

WW – Facial-Recognition Regulations Considered; Researchers Unveil “Climb”

The Home Office “is considering increasing the regulations for retention of face recognition records.” The Home Office announced it is “undertaking a policy review of the statutory basis for the retention of facial images and consulting key stakeholders,” adding it is “considering the role of the Biometrics Commissioner. The government will of course publish the findings of the review and consult formally as appropriate.” Meanwhile, researchers from Cardiff University, the University of Warwick, Swansea University and the University of Birmingham have created “Climb, the Cloud Infrastructure for Microbial Bioinformatics“ that permits other scientists to share genomic information more safely. [Biometric Update] SEE also: [Start-Up Selling Eye-Tracking Technology to Major League Baseball]

Big Data

CA – Group to Study Data Collection

Researchers are getting ready to study “what information is being collected about Canadians and what it’s being used for, saying the public remains largely in the dark on the mass accumulation of personal data.” Queen’s University’s Surveillance Studies Centre will lead the five-year project to study the use of big data, the report states, noting the BC Office of the Information and Privacy Commissioner, Civil Liberties Association and the University of Victoria are among the project’s partners “Citizens have questions about how big data is being used by police, by political parties, in healthcare, education, social services and in other areas that touch their lives,” BC Privacy Commissioner Elizabeth Denham noted. “This project will probe big-data surveillance and analyze its scope, effectiveness and implications.” [The Globe and Mail]

EU – Agencies to Study Banks’ Big Data Use

The European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority will have their eyes on how banks employ big data in the coming year after expressing concern regarding not only the current utilization of information and its privacy impact but also its potential “to discriminate against certain sections of the population in so-called profiling.” The agencies will study the “opportunities and challenges” that come with employing big data. “The topic aims to analyze the adequacy of sectoral regulatory frameworks and identify any regulatory and/or supervisory measures which may need to be taken,” the groups said in a joint statement. [Reuters]


CA – Ontario Judge to Hear Telcom v. Police Case

An Ontario judge will soon rule on a consumer privacy case “that pits telecom companies against police departments.” In April, Peel Regional police obtained a production order for customer information from “all cellphones that accessed 36 cell towers owned by Rogers and Telus during a specific time frame,” the report states. While police said they needed the records to find a suspect, Rogers and Telus say the production order violates the Canadian Charter of Rights and Freedoms. Police since have withdrawn the order, however the judge wants to hear the case because of an uptick in similar cases. [Toronto Star]

CA – Saskatchewan Changes Privacy Rules

After a care aide’s employment record was sent to reporters, Saskatchewan is making changes to its privacy rules. As a result, politicians will have to adhere to a new code of conduct that aims to ensure compliance with the province’s privacy act, and they will need to get written consent to “collect, use or disclose someone’s personal information or personal health information,” the report states. Previously, the Freedom of Information Act “didn’t technically apply” to members of the legislative assembly (MLAs), said Saskatchewan Party MLA Jeremy Harrison. Violators of the code could be charged with contempt, face a fine or be removed from the assembly for the day or the house indefinitely. [The Canadian Press]

CA – Yukon Government Developing New Privacy Rules for Health Records

The Yukon government is looking for input on who should have access to your personal health care records, and how accessible they should be. The government is working on new regulations focussed on managing and protecting health files. The new rules would fall under the Health Information Privacy and Management Act, passed in 2013 but not yet in effect. [CBC News]

CA – Critics Raise Data Privacy Concerns in Trans-Pacific Partnership Deal

Critics say Canadians need to see the full text of the Trans-Pacific Partnership (TPP) trade deal to know the privacy trade-off. “We’re dealing with just summary documents. The devil is in the details,” said law professor at the University of Ottawa, Michael Geist. The deal includes provisions to protect the “free flow of information across borders” and “prevents governments in TPP countries from requiring the use of local servers for data storage,” the report states, which Geist finds particularly concerning. [CBC News] [Geist: How the TPP Puts Canadian Privacy at Risk] [Geist: How the TPP may put your health care data at risk: Geist]

CA – Questions Raised Over Preserving Sensitive Truth and Reconciliation Testimony

After years of collecting literally millions of documents and hearing the stories of thousands of aboriginal people who experienced abuse at residential schools, the Truth and Reconciliation Commission is ready to archive this material, much of it brutal and heartbreaking, in the new National Centre for Truth and Reconciliation at the University of Manitoba. Scheduled to open to the public this fall, it will serve as a rich repository and essential historical record of a haunting and tragic chapter of First Nations and Canadian history. Controversy has arisen, however, over whether survivors’ testimony, given privately by those seeking compensation for the abuse they suffered, should be preserved. It came as a shock to many who told their stories – confidentially, they believed – to adjudicators behind closed doors that their words might be preserved for posterity. Some argued against this scenario in an Ontario court last year. Justice Paul Perell ruled that the material from the Independent Assessment Process may be kept for 15 years but, in the meantime, identifying information must be redacted and those who testified be contacted to ask whether they would agree to have the documents remain in the archive; only with this agreement could individuals’ testimony be preserved beyond 15 years. Any other scenario would be a betrayal of survivors’ trust and detrimental to the cause of reconciliation, Justice Perell argued. Some see the ruling as a reasonable compromise but the NTRC launched an appeal, to be heard in court at the end of October. The centre wishes to preserve the documents and argues that it is well-placed to do so as an aboriginal-run organization mandated by the Truth and Reconciliation Commission. [University Affairs]

CA – Retired Mounties Sue RCMP Over Disclosure of Mental Health Records

A class action lawsuit filed in Vancouver alleges that the RCMP has breached the privacy of a number of Mounties by wrongfully disclosing their mental health records. The suit says that the disclosure of the records in 2012 was done to undermine the work of Dr. Michael Webster, a longtime RCMP psychologist who had treated the officers and who has been outspoken in the past on RCMP issues. Several retired Mounties, members of a group that represents about 2,300 officers across Canada, held a press conference outside the Vancouver Law Courts to explain the lawsuit. They told reporters that currently employed officers are afraid that if they speak out, they might be disciplined by their superiors.”The wrongful disclosure of our members’ mental health records undermines the trust and confidence members must have in our employer, to ensure that mental health supports can be accessed privately.” The suit says that in July 2012, the RCMP removed Webster from its list of approved registered psychologists and a month later initiated a complaint against him with the College of Registered Psychologists. It says the college requested the RCMP disclose complete copies of a number of Mounties who had been treated by Webster. The records were disclosed without notification to the officers and in violation of their privacy, says the lawsuit. A complaint filed against the RCMP with the Office of the Privacy Commissioner of Canada resulted in the commissioner finding that there had been a serious breach of privacy. [The Province]

CA – Ring Wants Controversial Report Released

Newfoundland and Labrador Information and Privacy Commissioner Ed Ring wants to make public a government sexual-exploitation study. The government says the 2011 report, It’s Nobody’s Mandate and Everyone’s Responsibility: Sexual Exploitation and the Sex Trade in Newfoundland and Labrador, was “based on interviews with sex workers and vulnerable individuals who could be put in danger if it was released publicly.” However, if it intends to keep the report under wraps the government will now have to go to court. Ring wrote in his review, “Public bodies cannot rely on speculation that harm might take place but must establish a reasonable expectation,” adding that identifying information should be blacked out as opposed to repressing the entire report. [The Telegraph]

CA – Denham Calls for Better Breach Protection

BC Information and Privacy Commissioner Elizabeth Denham “is calling for immediate action by provincial health authorities to boost measures that safeguard citizen’s health information in the absence of disclosure laws,” noting all provinces and territories except BC, Saskatchewan and Quebec “have legislated or incoming requirements that order health authorities to reveal the inappropriate release of private information.” Denham said, “It’s not in place here yet. It’s a problem.” Meanwhile, a breach affected University of Calgary employee records, and The Trump Hotel Collection has announced that point-of-sales systems at seven of its hotels in the U.S. and Canada “were infected with malware, potentially affecting an unspecified number of customers.” [Global News]

CA – Are Political Parties Violating CASL?

Via their email campaigns, “Canadian politicians may be violating Canada’s Anti-Spam Legislation (CASL), the very law they helped enact.” Citing a study from Toronto-based itracMarketer, an email marketing and CASL compliance software provider, the report suggests, “Canadian politicians may need a more compliant marketing staff because every political party failed at providing clear consent and permissions on their email collection pages.” The study looked at the country’s four major political parties’ email marketing, the report states, noting examples of CASL violations itracMarketer found include “not having a clear unsubscribe process, failure to explain the type of content they would send to potential subscribers and not providing a physical address on email collection pages.” [MediaPost] SEE ALSO: [Where the Parties Stand on Surveillance, Privacy] [Where Canada’s Three Political Parties Stand on Cybersecurity and Surveillance] [Election selfies are encouraged, but take them outside polling stations: Posting a photo of a completed ballot could land you in jail] [Green Party (Kris Constable) Views on Enhancing Security Against Cyber Attacks]

CA – Other Privacy News


WW – Uptick in Privacy Products Indicate Citizen Concerns

Average citizens are increasingly out to protect their own privacy given Canada’s Bill C-51, which allows for an increased amount of information to be collected by government. As a result, product designers are creating anti-surveillance items. That trend was recently on display in London at the Victoria and Albert Museum, which focused on “objects that both encourage sharing information online (such as the selfie stick) and block it (such as the Cryptophone 500, a military-grade mobile with the highest security standards on the market … ),” the report states. The London exhibit is just one example of many new products to hit the market. [The Globe and Mail]

Electronic Records

US – Privacy Concerns Decline as Patients Acclimate to EHR Systems

Patients whose doctors use electronic health record systems are increasingly confident that their health information will remain private and secure, Weill Cornell Medical College researchers found in a new longitudinal study, published Oct. 5 in the American Journal of Managed Care. While electronic health record systems have been around since the early 2000s, they became more prevalent when the federal government began offering providers incentives to adopt the technology in 2009. To measure consumers’ perspectives on electronic health records, the researchers collected data through a random-digit-dial national telephone survey that polled about 1,000 people a year between 2011 and 2013. Some 41% of respondents were worried that electronic health records would lessen the privacy and security of personal health data in 2013, compared to 47.5% in 2011. While the 6 percent decrease is a good start, Dr. Ancker continued, the study also demonstrates that, through improved security and education, more work has to be done to sufficiently address patients’ worries. “New things make people anxious,” she said. The data also shows that there is a need to better educate patients about how electronic records work, as well as how they can improve the patients’ healthcare. []

US – Researchers Re-Identify 100% of ‘Anonymised’ Health Data

Researchers from Harvard University have published a paper claiming a 100 per cent success rate in de-anonymising patients from their supposedly anonymised healthcare data in South Korea. The study, which bears the ronseal title of “De-anonymizing South Korean Resident Registration Numbers Shared in Prescription Data”, was published this week in Technology Science. Two de-anonymisation experiments were conducted in the study on prescription data from deceased South Koreans, with encrypted national identifiers – Resident Registration Numbers (RNN) – included. The researchers found significant vulnerabilities in the anonymisation process which is applied to identifiers contained within prescription data, data which is often sold to multinational health companies. Finding that “weakly encrypted RRNs” may be vulnerable to de-anonymisation, both experiments were 100 per cent successful, and revealed all 23,163 of the unencrypted RNNs. [The Register] [US – New Coding System Intrudes on Patients’ Privacy, Forces Doctors to Focus on Codes Rather Than Care]

CA – Group Health Centre Debuts Online Patient Portal

Sault Ste. Marie is now one of only a handful of cities in Canada where patients can access essential health information through an online portal, after the Group Health Centre launched its myCARE portal earlier this week. The system allows patients to send messages to their healthcare team, request prescription renewals, manage appointments, review select lab test results, and more through a home computer, eliminating the need to make a visit to the centre for these needs. GHC is now one of two centres in Canada – the other being CHEO in Ottawa – that has this specific technology available for patients. [Sault Ste Marie Star]


US – White House Will Not Demand Back Doors for Access to Encrypted Data

The White House has decided not to pursue policy urging technology companies to build backdoors into their encryption systems despite law enforcement and intelligence agencies’ vocal assertions that the backdoors are necessary. They will still be able to pursue data with warrants. [CSMonitor] [TechCrunch] [ComputerWorld] [SCMagazine] [Ars Technica] See also: [Wired: A New Way for Tech Firms to Fight Orders to Unlock Devices]

US – Federal Judge Wants to Bring Encryption Debate to Courts

A federal judge in New York is seeking to expand the debate surrounding law enforcement access to encrypted communications technology. Magistrate Judge James Orenstein has suggested he would not issue an order sought by the government compelling Apple to unlock a suspect’s iPhone, the report states. Prior to ruling on the case, Orenstein asked the company to explain whether the government’s request would be “unduly burdensome.” According to the report, the judge may have chosen the wrong case to issue such a question, as the suspect’s phone is an older version that can be accessed by Apple. “He’s clearly a judge who is interested in opening topics to discussion in the judiciary, but he also thinks the larger public should know about the debate,” said former Texas Magistrate Judge Brian Owsley. [The Washington Post] SEE ALSO: [Discordant Encryption Attitudes Bring Policy-Making Woes]

US – Back Doors Are Not Necessary to Circumvent Encryption

Andy Greenberg writes, “Encryption usually doesn’t keep determined cops out of a target’s private data. In fact, it only rarely comes into play at all.” Of the 3,554 wiretaps reported in 2014, just 25, or 0.7% encountered encryption. And of those 25 cases, investigators were able to circumvent encryption 21 times. [WIRED] See also: [Apple Removes Apps that Install Root Certificates | Apple Support | iMore]

EU Developments

EU – Court of Justice Declares Commission’s US Safe Harbour Decision Invalid

Court of Justice of the European Union, PRESS RELEASE No 117/15, Luxembourg, 6 October 2015

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity

The Data Protection Directive1 provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data.

The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of

26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme,3 the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).

The High Court of Ireland, before which the case has been brought, wishes to ascertain whether that Commission decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data.

In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.

The Court states, first of all, that no provision of the directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. Nevertheless, the Court points out that it alone has jurisdiction to declare that an EU act, such as a Commission decision, is invalid. Consequently, where a national authority or the person who has brought the matter before the national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the Court of Justice if they too have doubts as to the validity of the Commission decision. It is thus ultimately the Court of Justice which has the task of deciding whether or not a Commission decision is valid.

The Court then investigates whether the Safe Harbour Decision is invalid. In this connection, the Court states that the Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. The Court observes that the Commission did not make such a finding, but merely examined the safe harbour scheme.

Without needing to establish whether that scheme ensures a level of protection essentially equivalent to that guaranteed within the EU, the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.

The Court considers that that analysis of the scheme is borne out by two Commission

communications,4 according to which the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

As regards a level of protection essentially equivalent to the fundamental rights and freedoms guaranteed within the EU, the Court finds that, under EU law, legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use. The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

Likewise, the Court observes that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

Finally, the Court finds that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

For all those reasons, the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’

complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

EU – ECJ: Safe Harbor “Invalid”

In a much-anticipated decision, the European Court of Justice (ECJ) was very straightforward in announcing that it has sided with Austrian law student Max Schrems, agreeing with his argument that the U.S. National Security Agency’s PRISM mass surveillance program, unveiled by Edward Snowden, makes the European Commission’s finding of U.S. adequacy for personal data transfer with the Safe Harbor mechanism “invalid.” Immediately, the privacy community began to react—including Schrems himself. [Full Story] See also: [Edward Snowden Says He Would Go To Jail to Come Back to The U.S.]

EU – ‘Safe Harbour’ Data Ruling Leaves U.S. Companies in Legal Limbo

A recent court ruling may boost the European Union’s efforts to reassert authority over how its citizens’ data is being treated and pressure other countries into creating privacy laws that are considered more equitable across borders. U.S.-based internet companies like Facebook, Amazon and Google are now likely scrambling to determine if they need to change their European operations after a judge in the European Union’s highest court ruled that the agreement allowing them to transfer data to the United States violates Europeans’ rights. [CBC News] SEE ALSO: [An Interview with the ECJ’s New President] [Safe Harbor Ruling Symptom of Global Surveillance Discord] [US – Post-Safe Harbor, Senators Push for Judicial Redress Act] and [Regan: Will Schrems Case Ultimately Hurt Europeans’ Privacy?]

EU – European Commission Faces Parliament Ire; Safe Harbor Questions Persist

European Commission leadership suffered the “slings and arrows” of a European Parliament unhappy with the institution’s handling of the now-invalidated Safe Harbor agreement. Parliament’s LIBE Committee also met this week and asked the Commission why Safe Harbor lasted 15 years. Meanwhile, Georgia Institute of Technology Prof. Peter Swire writes for Privacy Perspectives on the legal paths to move forward, and Denis Kelleher suggests that UK Information Commissioner Christopher Graham’s advice not to panic over Safe Harbor is the right advice for now. And in an interview withviEUws, European Data Protection Supervisor Giovanni Buttarelli shares “lessons to be drawn from the ruling, the impact of the decision on EU citizens as well as the efficacy of new instruments aimed at ensuring a high level of data protection.” [Full Story] SEE also: [Swire on Solving the Unsolvable with Safe Harbor] {ICO: Don’t Panic Over Safe Harbor—Yet] [A Look Forward After Safe Harbor’s Invalidation]

EU – LIBE: Why Did Safe Harbor Last 15 Years?

The European Parliament’s Civil Liberties Committee (LIBE) met to debate the European Court of Justice’s recent decision in the Schrems Case invalidating Safe Harbor. The resounding message: What took so long? “It’s important to highlight that something went wrong here,” said German Green MEP Jan Philipp Albrecht, who is rapporteur to the General Data Protection Regulation and vice chairman of the LIBE Committee. Dutch MEP Sophia in ‘t Veld agreed, calling Safe Harbor “bad legislation” that “was dead a long time ago.” MEPs debated what should happen next, and while some called for Safe Harbor 2.0, in’ t Veld said it’s time to “change strategy.” [IAPP]

EU – German DPA Takes Steps After Safe Harbor Decision

The ULD, the data protection authority for the German state of Schleswig-Holstein, has taken the step that many have predicted and issued a position paper that follows the ECJ’s logic to declare model contract clauses, even consent, to likely be invalid ways of transferring data to the U.S. “The ULD specifically recommends that companies using standard model contracts cancel them with their U.S. partners and do a complete review of data transfers, consulting with the ULD in basically every instance.” Marit Hansen, head of ULD, the data protection authority in Schleswig-Holstein, issued a press release and position paper. [Full Story]

EU – Inquiry Finds More Can Be Done to Explain RTBF

Privacy advocates argue that many Europeans do not understand their specific liberties as they relate to the so-called right to be forgotten (RTBF). As such, they suggest, Google and data protection authorities (DPAs) need to do a better job of informing their consumers of their rights, including the right to reach out to DPAs and ask for a second opinion if a company such as Google rejects their RTBF requests, the report states. Although Google does mention that appeals to DPAs are an option in “rejection emails” for RTBF requests, advocates argue more could be done. “I think both DPAs and companies would have a task in raising awareness and informing users,” said Dutch Liberal MEP Sophie in ‘t Veld. [EUObserver]

UK – MPs’ Communications ‘Not Protected’, Tribunal Rules

MPs have no protection from having their communications read by UK security agencies, a tribunal has said. Green Party politicians Caroline Lucas MP and Baroness Jenny Jones argued a long-standing doctrine protecting MPs’ communications was being breached. But in a landmark decision the Investigatory Powers Tribunal said the so-called “Wilson Doctrine” was no bar to the incidental collection of data. Ms Lucas said the decision was a “body blow” for democracy.

EU – Facebook Goes on Privacy Offensive

Facebook is moving to counter at least five different privacy investigations by EU-based data protection authorities (DPAs). In particular, Facebook says a case brought by the Belgium Privacy Commission could affect the security of its users. The case, which could have a ruling as early as this week, would allow the DPA to fine Facebook as much as $284,000 per day due to its controversial use of cookies on non-Facebook sites, the report states. However, Facebook says the cookies help it weed out bots and other automated online machines. Facebook’s Alex Stamos said, “Often regulators will focus on a very, very particular issue and lose sight of the safety issues that affect all 1.5 billion users.” [Full Story]

UK – Consumer Privacy and Security Fears, Complaints Up

Consumer complaints about the way personal data is handled increased by 30% from 2013 to 2014, according to figures from Pinsent Masons, acquired via several Freedom of Information requests to the Information Commissioners Office (ICO). Complaints about the security of personal information rose from 886 in 2013 to 1,150 in 2014, while complaints about personal data increased 64% over a five-year period. Pinsent Masons said the increase in consumer complaints highlights increasing levels of public unease over how big business and other organisations store personal information. []

EU – Albrecht on GDPR: Very Possibly Done by End of Year

In a meeting of the European Parliament’s Civil Liberties Committee (LIBE), Vice Chairman Jan Philipp Albrecht, Green MEP and rapporteur to the General Data Protection Regulation (GDPR), provided a report on the trilogue negotiations around the GDPR. Chapter five is done, he said, and chapters two, three and four are largely complete. “My impression is that we managed to get agreement on, I would estimate, 70 to 80% of the text,” he said, adding issues like consent conditions, data minimization definitions and the duties for controllers and processors have yet to be finalized. Albrecht said it’s “realistically possible” negotiations will conclude before end of year. [Full Story] See also: [First Direct-Marketing Convictions Set Standard]

EU – ECJ Issues Weltimmo Decision

Denis Kelleher examines the European Court of Justice (ECJ) decision this week in Weltimmo. In the case, the ECJ was “asked to consider what jurisdiction the Hungarian Data Protection Supervisor might have over a website in Slovakia,” Kelleher wrote when the Advocate General’s opinion on the case was issued this summer. “While it is not yet clear what precise impact this judgment will have upon the trilogue negotiations,” the court’s “clear analysis of the jurisdiction and responsibilities of different data protection authorities must be of assistance and hopefully will enable the EU to bring those negotiations to a close.” [IAPP]

EU – EDPS: PNR’s Existence Isn’t Justified

European Data Protection Supervisor (EDPS) Giovanni Buttarelli has published his opinion on the proposed Passenger Name Records (PNR) initiative, arguing there is “a lack of information to justify the necessity” of the move and stating it “raises serious transparency and proportionality issues, and … might lead to a move towards a surveillance society.” PNR could include “home addresses, mobile phone numbers, frequent flyer information, email addresses and credit card details,” the report states. “We encourage the legislators, in assessing the necessity of such a measure, to further explore the effectiveness of new investigative approaches as well as of more selective and less intrusive surveillance measures based on targeted categories of flights, passengers or countries,” Buttarelli said. Meanwhile, more Snowden documents indicate the UK government spied on Internet users since 2007. []

EU – DPAs to Announce Cooperative Agreement

During their “Fireside Chat” at Dentons’ offices in London, UK Information Commissioner Christopher Graham and former interim Privacy Commissioner of Canada Chantal Bernier previewed details of a new cooperation agreement amongst global data protection authorities (DPAs) to be announced at the Data Protection and Privacy Commissioners Conference later this month. Sam Pfeifle writes that the Arrangement, as it’s being called, was first discussed at the DPAs’ conference in Mexico in 2011 and creates a common understanding of DPAs’ obligations as they work together “so that separate memorandums of understanding don’t have to be negotiated and signed each time DPAs coordinate on a case.” [Privacy Advisor]

EU – Other News

Facts & Stats

WW – Survey: Data Leaks a Privacy Malady

FinalCode’s 2015 State of File Collaboration Security study is shining light on a new trend of data leaks, which, according to the survey, more than 80% of information-security professionals have encountered. A data leak is “information that is shared inappropriately, sent to the wrong email address, stored on a computer that was lost or stolen or compromised through a general system security gap,” the report states. Uber, for example, has confirmed a recent data leak impacted 674 U.S. drivers. More than 75% of survey respondents are “very concerned to concerned” about data leaks, the report continues. [GovTech]

WW – Study: Cost of Breaches is on the Rise

The Ponemon Institute’s 2015 Cost of Cyber Crime Study, which examines 252 organizations in five different countries, discovered that while the average cost of data breaches increased 1.95 in the past year, boards are showing less get-up-and-go regarding data security. Larry Ponemon said the numbers are “moving in the wrong direction,” with breach response time also up 30%. And boards don’t seem to care unless stock prices are affected, said Curtis Levinson, a NATO cybersecurity advisor. The study notes that companies “that invest in adequate resources, employ certified or expert staff and appoint a high-level security leader have cyber-crime costs that are lower than companies that have not implemented these practices.” [IT World Canada] [Cost of Data Breaches Keeps Going Up. Do Boards Care?]

US – Study: Keeping Up with Data Protection Rules is Financial Burden

A Vanson Bourne survey for software agency Ipswitch found that 68% of respondents believe staying abreast of data protection requirements is a “financial burden.” “Whilst IT professionals recognise the need to align data protection regulation to keep up with modern data-sharing practices and the globalisation of data, it is clear that compliance comes at a price for most,” said Ipswitch’s David Juitt in a statement. Meanwhile, Sachiko Scheuing, tells Computing, “When companies around the world consider setting up a new unit in digital or mobile, I don’t think Europe is the preferred place to invest in.” Indeed, “Data protection continues to be a rapidly evolving area, and one that is increasingly important to business,” the Mayson Hayes & Curran Tech Law Blog reports. [Full Story]


US – Big Breaches Plague E*Trade, Dow Jones

Dow Jones and E*Trade recently alerted their customers that personal information had allegedly been breached. Although some “personal information had been compromised,” there isn’t evidence that includes “any sensitive customer account information,” E*Trade explained in an email to its 31,000 affected customers. Meanwhile, Dow Jones CEO William Lewis alerted subscribers of the company’s breach via letter, indicating that between August 2012 and July 2015, hackers were looking for the “contact information for as many current and former subscribers as possible,” a number as high 2.4 million. Additionally, “payment card … information for fewer than 3,500 individuals could have been accessed,” Lewis said. [BankInfoSecurity]


US – Lenders Look to Social Media to Gauge Creditworthiness

As financial lenders look to new and more accurate ways to determine an individual’s creditworthiness, some are looking at data inputs on a spectrum, where at one end credit card repayment history—the most accurate determinate—is considered, while at the other end social media posts are assessed. With banks concerned that they’re turning down potential sources of profit, companies such as Fico and TransUnion are tapping alternative data sources. “If you look at how many times a person says ‘wasted’ in their (Facebook) profile, it has some value in predicting whether they’re going to repay their debt,” said Fico Chief Executive Will Lansing. “It’s not much,” he added, “but it’s more than zero.” [Financial Times]

US – Glitch Exposes Bank Customers’ Financial Activities

A security glitch affecting online banking at Halifax and Bank of Scotland that “has put tens of thousands of customers at risk of fraud by leaving their financial activities visible to anyone.” The banks, which are part of Lloyds, have not indicated how many accounts were affected, the report states, noting “fraudsters were able to view accounts without using hacking devices as they would only need someone’s name, date of birth and address to see their bank, savings, credit card, loan or mortgage account details.” The issue was discovered last week by, the report states, and the banks have since fixed the problem with additional security measures. [The Telegraph]

US – FBI Takes Down Alert on Chip Credit Cards After Bankers Complain

The FBI posted an online advisory about vulnerabilities with new chip-enabled credit cards, but then removed the message less than a day later following concerns from U.S. bankers that back chip cards. The original online post was headlined, “New microchip-enabled credit cards may still be vulnerable to exploitation by fraudsters,” and was replaced by a “page not found” message. The FBI didn’t offer any comment on what happened to the original post, which raised the need for PIN (personal identification number) security included chip-embedded cards. Use of a PIN instead of a customer’s signature to bolster a chip card has become a heated battle between the nation’s major retailers, which back a PIN, and powerful credit card companies and the major banks they support, which back signatures. The American Bankers Association contacted the FBI urging it to revise and clarify its original post, which was in the form of a public service announcement (PSA), to reduce confusion over the use of PINs with chip cards, an ABA official said. [Computerworld]


CA – New Brunswick Making Open Data ‘Baby Steps’

The New Brunswick government is inching toward an open data portal that will allow citizens to click through public information that has been previously locked inside government servers. The commitment to opening up public data sets came when Premier Brian Gallant announced a digital government initiative earlier this month. [CBC News]

CA – No Harm to Public Safety in Releasing Most of Sex Exploitation Report

Two years after politicians and the police castigated CBC News for putting people in danger by reporting on a government-commissioned report into sexual exploitation in Newfoundland and Labrador, the province’s information watchdog has rejected those concerns, saying most of the document can be released to the public. “I am recommending that the majority of the report be released,” information and privacy commissioner Ed Ring wrote in a recent report. The government now has until Friday to decide whether it will follow the commissioner’s recommendations. Under new access to information laws, the onus is on the government to go to court to block the release of information the commissioner says should be made public. [Source] See also: [Transgender Canadians getting voter cards with birth names]

Health / Medical

AU – myHealth Record Under Governmental Scrutiny

The newly unveiled myHealth Record system has spurred such controversy that Health Minister Sussan Ley was called to a parliamentary joint committee on human rights to quell concerns. Liberal MP Philip Ruddock, the committee’s chairman, argued the system has “significant privacy concerns,” while the Australian Privacy Foundation said, “We suggest that the identity data … will be seen as very useful to the government, especially when cross-matched against the Internet and telecommunications data and other databases.” In response to the concerns, Ley said, “I can assure all Australians that as we develop an electronic health record system … all privacy and security measures will be taken to ensure the protection of a patient’s personal details.” [The Sydney Morning Herald]

UK – HHS Roadmap Paves Way for Privacy

After months of feedback, the Department of Health and Human Services (HHS) has published its 10-year roadmap that illustrates “how healthcare facilities and patients should be able to share medical information” while protecting user privacy. “The roadmap includes a common clinical data set for every patient,” the report states. “In order for us to be able to understand the quality of care delivered for individuals and for populations, we need to have that data available,” said National Health IT Coordinator Karen DeSalvo, who also spoke of the need for “federally recognized, national interoperability standards … that would include privacy and cybersecurity standards.” The roadmap aims to clarify and “align federal and state privacy and security requirements that enable interoperability,” the report states. [ComputerWorld]

US – Gets Privacy Overhaul, Honors DNT

The Obama administration announced new changes to the website in time for a new round of health insurance sign ups. CEO Kevin Counihan said the website will now feature a new “privacy manager“ that allows users to opt out of embedded third-party tracking, analytics and social media sites and will also honor do-not-track requests. Electronic Frontier Foundation (EFF) Staff Technologist Cooper Quintin said EFF applauds’s support of DNT and its decision to “give their users strong privacy controls, adding EFF “would be thrilled to see more organizations, both public and privacy, follow their lead.” Meanwhile, CSM Passcode queries whether consumers should have the right to demand that websites not track them. [Associated Press]

CA – Alberta Privacy Commission: Health Record Breaches an “Epidemic”

In the wake of news that Alberta Health Services is disciplining 48 healthcare workers after a patient’s medical records were inappropriately accessed, a spokesman for Alberta’s Privacy Commission (APC) said such actions are part of a larger problem. Scott Sibbald, a spokesman for the APC, said, “More broadly, this isn’t an isolated incident by any means. We are seeing, and I guess for lack of a better term, an epidemic within electronic medical records systems.” Sibbald noted that, so far this year, there has been one conviction and two charges for unauthorized access. The agency is also investigating as many as a dozen additional cases. [CBC News]

CA – Yukon Government Developing New Privacy Rules for Health Records

The Yukon government is looking for input on who should have access to your personal health care records, and how accessible they should be. The government is working on new regulations focussed on managing and protecting health files. The new rules would fall under the Health Information Privacy and Management Act, passed in 2013 but not yet in effect. The territorial health department has put together a “discussion document,” and is seeking feedback from health professionals and other Yukoners. Living says the goal is to finish consultations by the end of this year, and have regulations in place in early 2016. [CBC News]

US – OCR Announces HIPAA Compliance Portal

In an attempt to provide HIPAA compliance guidance for mobile app developers and answer questions as they occur, the Department of Health and Human Services Office for Civil Rights (OCR) has created an online portal. “Historically, there have been limited opportunities to obtain guidance from OCR on how HIPAA applies to certain situations,” said David Wright Tremaine’s Adam Greene. “I hope that the OCR portal will provide a much needed influx of OCR guidance and clarification regarding how HIPAA applies to mobile health app developers, other cloud-based entities and other business associates.” The information requests will be anonymized, OCR Senior Adviser Linda Sanches said, thus making the portal a tool for learning, not enforcement. “We’re not going to track anyone down,” she added. [GovInfoSecurity]

Horror Stories

US – 15 Million Affected in Breach

Experian has confirmed that approximately 15 million customers, including T-Mobile users “who had applied for Experian credit checks, may have had their private information exposed.” “The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services between Sept. 1, 2013 and Sept. 16, 2015,” Experian’s website states. Experian and T-Mobile are working to notify customers. “Information from the hack includes names, addresses and social security, driver’s license and passport numbers,” the report states, noting Connecticut’s Office of the Attorney General plans to investigate the breach. [The Guardian]

US – Millions of Customer Records Breached

Scottrade has confirmed that 4.6 million contact records were breached from 2013 through 2014. “Although Social Security numbers, email addresses and other sensitive data were contained in the system,” the company said, “it appears that contact information was the focus of the incident.” The American Bankers Association has also discovered that “thousands of members’ personal information had been compromised.” Meanwhile, hackers may have accessed the financial information of Trump hotel patrons. The company said, “Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken … we are providing this notice out of an abundance of caution.” . [ZDNet]

US – Senator Wants Details on Experian Breach

Sen. Sherrod Brown (D-OH) of the Senate Banking Committee has written to Experian asking for details regarding its recent T-Mobile data breach. His questions include “how the breach occurred” and “what changes Experian was making to its systems to stop it from happening again,” the report states. “Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system,” Brown noted. He also requested Experian to arrange “credit freezes” for victims of the breach. Experian representatives said in a statement that they “understand the concerns raised” and will be responding. [Associated Press] [T-Mobile Reviewing Experian Affiliation] [Three lawmakers want answers from Experian on the recent data breach affecting up to 15 million T-Mobile customers].

US – PIRG Calls for FTC Investigation of Experian Breach

Twenty-five “data security and consumer advocacy” agencies, including the Electronic Privacy Information Center and the World Privacy Forum, co-signed a letter penned by the U.S. Public Interest Research Group to the Federal Trade Commission, urging the federal agency to launch an official investigation into the recent Experian data breach. “As you know, Experian is one of the three nationwide consumer reporting agencies, each holding data on over 200 million consumers,” the letter states. “A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster,” it continues. In response, an Experian spokesperson said “Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident.” Meanwhile, The New Yorker’s Om Malik arguesthat the company’s breach is just another iteration of the same grave trend. [The Guardian]

AU – Hackers Target Australian Health Sector, Selling Records for A$1,000

Hackers are targeting the Australian health sector, with fully populated digital health records sold on the black market for up to A$1,000 each. Plans to make the personally controlled electronic health record (PCEHR) an opt-out – rather than the current opt-in regime – could significantly expand the range of targets for health hackers. Carl Leonard, principal security analyst for Websense, said healthcare around the world is now experiencing 340% more attacks than the average industry sector. He said that, in 2014, there was a phenomenal 600% increase in the number of attacks launched against hospitals – and Australia is no exception. He said ransomware attacks were 450% more prevalent in healthcare globally than in other industries. He said: “Healthcare offers a very complete dataset that can be used for identity theft or fraud. It holds very up-to-date contact information so you can send targeted mails, and use the information and repurpose it for identity theft.” Leonard said some fully populated health records are fetching up to A$1,000 on the black market while the prices for credit card details continue to drop in what is considered a saturated market. []

WW – Researchers Spot Potential Breach

“Researchers at Worcester Polytechnic Institute claim they’ve spotted a potential data breach issue involving Amazon Web Services (AWS).” Amazon, however, has responded that “AWS customers using current software and following security best practices are not impacted by this situation.” The researchers say they used an AWS instance to hack into another, but “only in a lab setting,” suggesting “a single cloud instance could be used by attackers to breach other instances running on the same machine, thus compromising individuals and organizations that are otherwise unrelated, except for using the same cloud service,” the report states. [Bank Info Security] See also: [Samsung breach the Result of Chinese Hackers]

US – Secret Service Privacy Breach Raises Concerns

The White House said that “significant concerns” have been raised by reports that scores of Secret Service employees accessed the unsuccessful job application of a congressman who was investigating agency scandals. Spokesman Josh Earnest said, though, that President Obama retains confidence in the agency’s director and that the “appropriate steps” will be taken to hold accountable any individuals who did not follow proper procedures. [The Associated Press]

NZ – Breaches Affect National Health Index, Merchant

A breach of New Zealand’s National Health Index exposed “confidential birth and death details” of 24,000 victims after an email was accidentally sent to the incorrect recipients. “Patients must be able to trust the information they give to doctors will only be accessible to staff involved in their treatment,” said Labour’s Annette King. King said the data is “particularly sensitive. Its release would be hugely distressing to relatives and loved ones,” adding, “any breach of this magnitude is unacceptable, full stop.” Meanwhile, the Australian Federal Police is looking into a breach that compromised shoppers’ home addresses and other personal information. [Computerworld] [NZ – Deaf Aotearoa flooded with complaints about Jehovah’s Witness church]

US – Uber Breach Investigation

Uber is investigating the breach of a database that contains information about the company’s drivers. A report from Reuters says that one suspect is Uber rival Lyft. Uber inadvertently posted the database key on a GitHub page before the breach. When Uber realized what had happened, it sent a subpoena to GitHub demanding information about people who visited that particular page during the period the key was visible. Someone using an IP address associated with Lyft’s Chief Technical Officer accessed the page. However, that IP address is not the same as the one used in the attack on Uber’s database. [SCMagazine] [Reuters] [Uber Focuses Legal Efforts on Identifying Hackers]

Identity Issues

WW – Coalition to Facebook: Rethink Policy

The Nameless Coalition, a new organization comprising groups like Human Rights Watch and the ACLU wrote a letter to Facebook articulating their displeasure with its policies regarding real names. “Users who opt to send Facebook their identification information are told that their information is secure but are given no information about how Facebook treats their data,” the coalition stated. “While we know not everyone likes this approach, our policy against fake names helps make Facebook a safer place by enabling us to detect accounts created for malicious purposes,” Facebook said. The coalition has requested a response to its letter by October 31. [The Verge]

US – FBI Urges Use of Two-Factor Authentication

The FBI is encouraging small- and medium-sized businesses and Internet users in general to use two-factor authentication to safeguard personal information. The FBI (did this) as part of this year’s National Cyber Security Awareness Month. In a related story, a coalition of government agencies, technology companies, and security experts met in Washington, DC, earlier this week to discuss ways to move toward stronger, two-factor authentication. [FBI] [ExecutiveGov] [DailyDot]

WW – Yahoo Aims to Phase Out Passwords With New Service

Yahoo’s next step in password security is to eliminate them altogether. Starting this week, the company announced, users of the Yahoo Mail app on both iOS and Android will have access to a new service called Yahoo Account Key, which uses smartphones to verify identities in lieu of traditional passwords. Here’s how it works: When users who sign up for Account Key try to access Yahoo Mail, they will no longer need to enter their password. Instead, the Account Key service will send a message to the smartphone connected to the account. With a tap on yes or no, users can indicate it is a legitimate attempt to get into the account or deny unauthorized access. If their smartphone is lost or stolen, users can verify identities through an email or a text message sent to alternative accounts and numbers. In addition to Account Key verification, Yahoo executives announced a revamped version of Yahoo Mail that allows users to connect with, manage and search Outlook, Hotmail and AOL email accounts while signed in to their Yahoo account. The new Mail also connects to Twitter, LinkedIn and Facebook to add photos and create “contact cards” with email, telephone and social media information for contacts. [Reuters]

UK – ‘Hidden Faces’ Proposed As a Biometric Privacy Solution

Biometrics researchers are working on a privacy solution for facial data that would see smartphone user images encrypted into two separate encrypted files which are then also “hidden” in new, unrelated faces and stored separately. Using a technique known as visual cryptography, two facial data templates are created from a single face. These templates are then “hidden” in an unrelated face – for example a celebrity mugshot, with one kept on a device and another in the cloud. Addressing the issue whereby hacked mobile devices could reveal facial data stored on them for biometric authentication, the technique could eliminate the risk of reverse engineering from templates or even from secure elements. [] See also: [UK – Identity Cards Can Solve Britain’s Migrant Crisis]

US – ACLU: License Chips a “Nightmare”

The growing trend of states enacting voluntary programs that connect one’s license to the Department of Homeland Security via RFID chips is what the American Civil Liberties Union (ACLU) calls a “civil liberties nightmare.” While “the cards are designed to be used instead of passports at U.S. land borders in a bid to speed up the entrance lines from Mexico and Canada,” their growing popularity could indicate that “such cards could become mandatory across the country,” the report continues. The ACLU said the “technology is a dream come true for identity thieves and stalkers,” while University of Washington researchers said there is “no encryption of any kind and they can be read by anyone,” noting “reading and cloning” of the chips “is possible.” [Ars Technica]

JP – ID Sparks Privacy Protests

Japan’s introduction of My Number ID, an identifier that “will unite personal tax information, social security and disaster relief benefits,” has sparked such intense privacy concerns that more than 400 protesters assembled in Tokyo to contest the move. “Chanting ‘Stop My Number now!’ and ‘No dangerous My Number card!’ protesters called for postponement of the 12-digit number,” the report states, noting the system is “expected to reach an estimated 55 million households” in an attempt to help “cut down on tax evasion and benefit fraud.” Sophia University’s Yasuhiko Tajima has called the My Number plan “unconstitutional,” the report states. [RT]

US – ID-Theft Center Advises Security-Freeze Customers to Watch Credit Report Costs

A Maine-based identity theft assistance company says customers who’ve recently put a security freeze on their credit reports should watch the cost of their policies. “We have become aware that some insurance companies are mistakenly using a customer’s frozen credit history as a negative factor when calculating the costs of the customer’s policy,” said Jane Carpenter, founder of Maine Identity Services. “This means that the rate charged for the insurance may be increased.” In one case, a customer’s rates increased by more than $150. Carpenter said those who’ve experienced a data breach and are receiving credit monitoring services should also watch costs. [Full Story]

WW – What’s in a Boarding Pass Barcode? A Lot

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account. Interested in learning what’s in your boarding pass barcode? Take a picture of the barcode with your phone, and upload it to this site. This blog on the same topic from several years back includes some helpful hints on how to decode the various information fields that get dumped by the barcode reader. Finally, the standards for the boarding pass barcodes are widely available and have been for years. Check out this document from the International Air Transport Association (IATA) for more on how the barcode standards work and have been implemented in various forms. [] [Krebs]

Internet / WWW

WW – TPP Signed: The ‘Biggest Global Threat to the Internet’ Agreed

An agreement that some campaigners have called the “biggest global threat to the internet” has just been signed, potentially bringing huge new restrictions on what people can do with their computers. The Trans-Pacific Partnership is the conclusion of five years of negotiations, and will cover 40% of the world’s economy. Its claimed purpose is to create a unified economic bloc so that companies and businesses can trade more easily — but it also puts many of the central principle of the internet in doubt, according to campaigners. One particularly controversial part of the provisions make it a crime to reveal corporate wrongdoing “through a computer system”. Experts have pointed out that the wording is very vague, and could lead to whistleblowers being penalised for sharing important information, and lead to journalists stopping reporting on them. Others require that online content providers — such as YouTube and Facebook — must take down content if they receive just one complaint, as they are in the US. That will be harmful for startups looking to build such businesses since they’ll be required to have the resources to respond to every complaint, experts have pointed out. [The Independent]

WW – Study to Examine Challenges to Privacy

Singapore- and UK-based researchers have submitted a proposal to study the potential threats to privacy and security in the cloud. “Big data provides immense benefits ranging from innovative business models to new ways of treating deadly diseases. However, challenges to privacy arise,” said City University London’s Muttukrishnan Rajarajan, while the School of Electrical and Electronic Engineering’s Lu Rongxing noted, “If privacy is not well addressed, people may be reluctant to share their data.” If approved, the initiative will begin in 2016. Meanwhile, Singapore’s Personal Data Privacy Commission has published two new surveys on consumer opinions and industry opinions of the Personal Data Protection Act. [Computer Weekly]

Law Enforcement

US – NYPD Has Super-Secret X-Ray Vans

Police Commissioner Bill Bratton won’t let the NYCLU — or anyone else — bully him for details on the NYPD’s super-secret X-ray vans. The top cop was asked about the counter-terror vehicles, called Z Backscatter Vans, in light of the NYCLU’s request to file an amicus brief arguing that the NYPD should have to release records about the X-ray vans. The website ProPublica filed suit against the NYPD three years ago after an investigative journalist’s requests for police reports, training materials and health tests related to the X-rays were denied. [The New York Post]


AU – New Data Retention Laws Begin Today

Beginning today, every phone call you make, text message you send and email you write will be tracked by the government under a new metadata retention scheme. This scheme is allegedly being implemented to protect the country against organised crime and terrorism, but it is also being slammed as a major invasion of privacy. An Essential poll from early in the year showed that around 40% of Australians support the introduction of the new metadata laws and 44% did not, while 16% had no idea what it was. [] International Business Times reports a survey by telecommunications industry lobby group Communications Alliance has found 84% of ISPs are not yet prepared to collect and store the required metadata. [BBC News]

Online Privacy

WW – Problematic Apps Removed from Apple’s Online Store

After Chinese-born apps were found to be laden with malware last month, Apple reviewed its App Store inventory and ousted those programs it considered “potentially invasive to user privacy.” “We’ve removed a few apps from the App Store that install root certificates which enable the monitoring of customer network data that can in turn be used to compromise SSL/TLS security solutions,” said an Apple spokesperson. “We are working closely with these developers to quickly get their apps back on the App Store, while ensuring customer privacy and security is not at risk.” [CNET]

WW – Apple Pulls Some Ad- and Content-Blocking Apps Over Privacy Concerns

Apple has removed several ad- and content-blocker apps from its App Store after they were found to install root certificates that could potentially be used by third parties to access user information. The root certificates could be used to monitor data, which “could be used to compromise SSL/TLS security solutions.” [InformationWeek] [ArsTechnica] [The Register] [ComputerWorld] [CNET] [eWeek]

US – Senators Criticize W3C Do-Not-Track Approach

Sens. Ed Markey (D-MA), Al Franken (D-MN) and Joe Barton (R-TX) have sent a letter to the World Wide Web Consortium criticizing its approach to its do-not-track (DNT) standards. In the letter, the senators contend that the DNT definition will not protect users’ privacy and that “first-party” sites should not be able to collect data from users who opted out of web tracking. “We believe that both first and third parties should be held to high standards that respect privacy and promote competition online,” they write. Additionally, the different standards for first and third parties “gives certain companies … an exemption from what could serve as an important consumer protection and an unfair advantage over companies that better honor consumer rights and expectations.” [MediaPost]

WW – No-Tracking Search Engine Gets $9M from Investors

Swiss-born search engine Hulbee, which has received $9 million from investors, aims to become a “pro-privacy alternative to mainstream search engines.” Unlike other search engines, “it does not track users,” the report states. “It’s competing with other search players in the pro-privacy space,” promising untracked ads as well. According to Hulbee CEO Andreas Wiebe, “Ads on Hulbee are targeted based on the search query, so there’s no geotargeting or cumulative tracking,” the report states. “Hulbee doesn’t fall back on surveillance, so there’s no geotargeting,” Wiebe said. “For Hulbee, the user is completely invisible … We recognize that most consumers do not want to be tracked.” The system has been available in the U.S. since August. [Tech Crunch]

WW – Zombie Cookie Privacy Concerns Come Back To Life

Verizon plans to give AOL access to zombie cookie-gleaned information. “That means AOL’s ad network will be able to match millions of Internet users to their real-world details gathered by Verizon,” the report contains, adding that “AOL will also be able to use data … to track the apps that mobile users open, what sites they visit and for how long.” The move has struck a chord with the privacy-conscious. “It’s an insecure bundle of information following people around on the web,” said Deji Olukotun of Access. Verizon disagrees. The information will go to “a very limited number of other partners and they will only be able to use it for Verizon and AOL purposes,” said Verizon’s Karen Zacharia. [Pro Publica]

WW – Google Disputes Claims Its In-Car Entertainment System Spies on Users

Following a report from Motor Trend magazine claiming Porsche had chosen not to use Android Auto in its newest cars because of privacy concerns, Google has denied the in-car entertainment system spies on users. The report claimed certain pieces of data from the entertainment system is collected and “mailed back to Mountain View, California. Stuff like vehicle speed, throttle position, coolant and oil temperature, engine revs … “ But Google disputed the report, saying, “We take privacy very seriously and do not collect the data the Motor Trend article claims, such as throttle position, oil temp and coolant temp.” [The Guardian]

Other Jurisdictions

WW – Forrester Releases 2015 Data Privacy Heat Map

To help global organizations navigate privacy regulations, which vary from country to country and can conflict with one another, Forrester has published its 2015 Data Privacy Heat Map. The map, initially created in 2010, features in-depth analysis of the laws and cultures of 54 countries. This year’s version includes non-European countries such as Chile, South Africa and Thailand, who’ve each made strides “toward their own comprehensive data privacy regimes,” the report states. Many countries are making changes to align themselves with the pending European data protection regulation, particularly in light of such provisions as the “right to be forgotten” and breach notification laws. [Forbes]

MX – Uptick in Gov’t Data Requests Sparks Worries

Officials and politicians in Mexico are concerned with the number of government surveillance requests and the lack of supervision in place to keep sensitive data away from those who don’t have the appropriate credentials to access it. The number of requests in 2014 for mobile records was up 25%. Privacy advocates “are particularly concerned because of Mexico’s high rate of corruption—it is not uncommon for criminals and security to work in concert,” the report states. In addition, a new telecommunications law passed in 2014 could make government surveillance easier, and “just three% of the data requests made in Mexico got a judicial review.” [SC Magazine]

AU – Telstra Gets Extension; Law Changes Explained

Telstra has received an 18-month extension by the Attorney-General’s Department to insure the organization’s full adherence to the metadata retention law that is now in effect, a process the company has said it has already begun. “We are pleased to say that Telstra is one of the few, if not only, I think, telecommunication providers that has submitted a data retention plan and had it approved by the government,” said Telstra’s Catherine Livingstone. “We are organised to do this and we will implement it over 18 months, and of course, we will work with the government following through on their undertaking to reimburse us for the costs incurred.” Meanwhile, the The Sydney Morning Herald breaks down the new data retention changes. [International Business Times]

AU – OAIC Still Protecting Privacy as Staff Dwindles

The government’s decision to significantly defund the Office of the Australian Information Commissioner (OAIC) is troubling as “the privacy functions of the OAIC have arguably never been more important, and it has now been tasked with an even greater responsibility to oversee parts of the mandatory data retention scheme.” Those behind the scenes argue the shortage of funding stems from government displeasure with freedom of information. Regardless, Privacy Commissioner Timothy Pilgrim argues that although “the team (is) somewhat diminished in size” it is “no less committed, is now doing more than ever … to enforce Australians’ privacy and freedom of information rights,” the report states. Meanwhile, the OAIC plans to release telecommunication companies’ audit results. [The Guardian]

RO – President Signs “Big Brother” Law

Under a new law signed by Romanian President Klaus Iohannis, state authorities will soon be able to access to such information as “phone-call metadata, equipment IDs and localization.” The controversial law, which Romania’s media has named “Big Brother,” provides a right to access data stored by Internet providers and telecoms. “Now, it just needs to be published in the Official Journal of Romania to come into effect three days later,” the report states. The Romanian Association for Technology and Internet’s Bogdan Manolea said, “Although it is not a data-retention law, the quality of the legal text raises more questions than answers.” [ZDNet]

WW – Other International News

Privacy (US)

US – Tech Giants Press Congress to Give EU Citizens Privacy Rights

A group of large U.S.-based technology companies have sent a letter to U.S. House of Representatives leadership urging them to pass the Judicial Redress Act, a bill that would extend certain privacy protections to EU citizens. The letter states that such a bill “is a critical step in rebuilding the trust of citizens worldwide” and that restoring “that trust is essential to continued cross-border data flows…” Meanwhile, the Computer & Communications Industry Association is opposing the Cybersecurity Information Sharing Act (CISA). Similarly, the American Library Association has said CISA would let federal intelligence agencies spy on people using library computers. [The Hill] [US – Google, Facebook, and Microsoft Stick a Bomb Under Hated CISA Cyber-Law] See also: [US – Candidates Need To Get Privacy Right]

US – Cartoon Network Cleared of VPPA Violation

The 11th Circuit Court of Appeals has ruled that Cartoon Network (CN) didn’t breach the Video Privacy Protection Act (VPPA). Plaintiffs had alleged their mobile information was tracked and shared when they used CN’s mobile app in violation of the VPPA. However, the court found that “downloading an app for free and using it to view content at no cost is not enough to make a user of the app a ‘subscriber’ under the VPPA, as there is no ongoing commitment or relationship between the user and the entity which owns and operates the app,” the opinion states. [The Hollywood Reporter]

US – Other News

Privacy Enhancing Technologies (PETs)

US – HP and 3M to Integrate Privacy Screens into Laptops

HP and 3M say they will integrate privacy screens into some laptops by next year. The feature will allow users to turn a screen black with a push of a button. “Currently, ensuring privacy in cramped quarters is usually handled by installing a clumsy plastic sheet that narrows the field of view to only the person directly in front of the computer.” “If you’re on the side, you see black. But when you have to peel off that screen when it’s time to show off your PowerPoint, they often get dinged up and lost,” the report states. [PCWorld]

WW – Silent Circle Focusing on Businesses, Not Consumers

Silent Circle Co-Founder and encryption guru Phil Zimmerman says that “People want their privacy for free,” and because of that, the company, which makes the privacy-protective Blackphone, is now focusing its sales efforts on businesses handling sensitive data instead of the consumer market. Instead, the company is looking to sell the Blackphone to large enterprises to help protect sensitive personal information, trade secrets and other communications because organizations “are operating in an environment where they’re under attack from hackers.” Meanwhile, the White House has said it will not ask Congress to pass a law requiring companies to decrypt communications data. FBI Director James Comey said, “The administration has decided not to seek a legislative remedy now, but it makes sense to continue the conversations with industry.” [Motherboard]

WW – Apple Acquires Privacy-Sensitive AI Start-Up

Apple has acquired artificial intelligence (AI) start-up Perceptio, a company known for building AI systems on smartphones without having to share large quantities of user data. According to the report, Perceptio aims to run AI image-classification systems on mobile devices without the assistance of external data, fitting in with Apple’s goal of limiting customer data usage. Apple’s Colin Johnson said, “Apple buys smaller technology companies from time to time, and we generally do not discuss our purpose or plans.” Last week Apple said it had acquired a UK-based start-up specializing in technology that allows “Siri-like personal assistants” to carry on longer conversations with users. [Bloomberg Business]


US – Pilot Program Aims to Use Smart Beacons to Track Riders Who Opt-In

A pilot program has been launched by a private contractor to track riders of Massachusetts public transit. The program’s aims are to “improve the rider experience” and help advertisers with the Massachusetts Bay Transportation Authority system “increase engagement and interaction with commuters,” by using a “secure, closed network of Gimbal Bluetooth Smart beacons” that the contractor—called Intersection—says won’t collect personally identifiable information. Riders would only be tracked if they opt in to an app that would allow for the tracking of the beacon’s signal. [NetworkWorld]

US – Insurance Companies Pair With Smart Products to Monitor Homes

Insurance companies are partnering with companies that offer smart products for homes to “get their foot in the door.” American Family Insurance, Liberty Mutual and Bloomington-based State Farm have recently paired with such companies as Google and Nest to offer policyholders discounts on their home insurance in exchange for using the devices. But not everyone thinks that’s a great idea. “These are double-edged products,” said Bob Hunter, insurance director for the Consumer Federation of America. “If properly controlled for privacy and only installed with the policyholder’s permission and total transparency, they can make a home safer … but without strict protections, these could be a threat to a family’s privacy and intimacy.” [Chicago Tribune]

US – Committee Proposal Would Create Civil Penalty for Car Hacks

The House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade has proposed a requirement that vehicle manufacturers state their privacy policies and have proposed civil penalties of up to $100,000 for the hacking of vehicles. The lawmakers suggest the National Highway Traffic Safety Administration establish an Automotive Cybersecurity Advisory Council to develop cybersecurity best practices for U.S. car manufacturers. The “staff draft” released ahead of a hearing on the topic next week recommends manufacturers be required to have “reasonable measures” in place to protect driver information against hacks or face penalties of “not more than $5,000 per day.” [IDG News Service]

US – New Fridge Can Track Your Beer Supply

Internet-of-Things (IoT) technology continues its rapid growth, moving into the beer-tracking game. Bud Light, along with the National Football League, has introduced a new connected fridge that tracks and discloses real-time data on a consumer’s beer supply and temperature. The technology could eventually provide location to allow for home delivery. The fridge is currently only available in California. Meanwhile, California Gov. Jerry Brown has signed a first-in-the-nation bill mandating that smart televisions provide users with prominent notice during the initial setup that voice recognition technology is being used. AB1116 also prevents manufacturers and other third parties from using or selling recorded conversations for advertising. Privacy advocates are still concerned that collected data could be used to profile users, the report states. [MediaPost]


US – FTC Launching Data Security Initiative

Several Federal Trade Commission (FTC) officials shared their views and concerns on recent developments in privacy at the IAPP Global Privacy Summit, and Bureau of Consumer Protection Director Jessica Rich said the agency is set to launch “Start with Security” to provide businesses with resources, education and guidance on data security. Jedidiah Bracy highlights the details on the program Rich and FTC Chairwoman Edith Ramirez shared at the event, the four trends Commissioner Julie Brill said the FTC is looking at and reactions from the FTC on the Obama administration’s proposed Consumer Privacy Bill of Rights. [Full Story] See also: [Is Your Company Ready for FTC Oversight of Data Security?]

US – New Cybersecurity Guidance Released by NYSE

The New York Stock Exchange (NYSE) published a new 355-page cybersecurity guidance with “46 chapters written by more than 35 contributors across security, business and government,” an offering that is touted by the NYSE as the “definitive cybersecurity guide for directors and officers” in the public sector. It “covers such topics as board obligations and action plans, how CEOs can ask better questions, how to protect trade secrets, as well as consumer protection and incident response,” the report states. “No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk,” said NYSE President Tom Farley in the publication’s introduction. “No company, region or industry is immune, which makes the responsibility to oversee, manage and mitigate cyber risk a top-down priority in every organization.” [Market Watch] See also: [FTC Security Workshop Next Stop: Austin]

US – New Protective Service Announced as Breach Reports Persist

Visa and FireEye have once again become allies on the breach protection front with the announcement of protective service Visa Threat Intelligence,. “The subscription-based service includes a web portal where Visa clients can share and view cyber intelligence, forensic threat analysis from recent data breaches and information on malicious software,” the report states, noting, “According to Visa, the ultimate goal with the program is to identify a breach, or a potential breach, before data can be used or compromised.” Meanwhile, SC Magazine reports on a breach involving America’s Thrift Stores, and a new report from Accenture suggests breaches in “the next five years will cost U.S. health systems $305 billion in cumulative lifetime revenue.” [ZDNet]

US – Group Urges FCC to Mandate Better Router Security

In a letter to the FCC, a group of more than 260 global Internet thought-leaders, including former FCC Chief Technologist Dave Farber and Internet co-inventor Vinton Cerf, unveiled an alternative plan to improve the security of WiFi routers. The proposal is in response to newly proposed FCC rules as disclosed in ET Docket No. 15-170. Farber said, “Today there are hundreds of millions of WiFi routers in homes and offices around the globe with severe software flaws that can be easily exploited by criminals. While we agree with the FCC that the rules governing these devices must be updated, we believe the proposed rules laid out by the agency lack critical accountability for the device manufacturers.” [Business Wire] See also: [FCC’s Privacy Regulation “Troubling,” House Republicans Argue]

US – Post-Ashley Madison Breach, Companies Turn to Cyberinsurance

The Canadian Press reports that several high-profile data breaches, most notably the Ashley Madison hack, are prompting companies to turn to cyberinsurance. Deloitte Director of Technology Research Duncan Stewart said, “The number of attacks are rising, the severity is rising, and when they come, they’re more difficult to deal with.” Stewart also said such insurance is now part of the cost of doing business, the report states. He also asked, “You wouldn’t own a factory and not have fire insurance, so why would you think about not having cyberinsurance?” [Full Story]

US – Lack of Data Puts Cyberinsurance Companies in a Bind

Breached businesses are frequently reticent about their experiences, and that has prevented the cyberinsurance industry from having the necessary data to both “accurately predict the risk of a breach” and determine rates. Besides employing computers to forecast risk—a process that is “totally at its infancy,” said George Washington University’s Costis Toregas—another option is a Department of Homeland Security-backed “third-party repository“ of such information, the report states. “The unlocking of the potential market into the hundreds of billions of dollars will happen when they either develop a comprehensive kind of statistical base of losses or some strong models that can tell them with some level of confidence,” Toregas added. [Nextgov] [NYT Features Special Section on Security, Privacy]

US – Breach Insurance Policies Costing a Pretty Penny

As breaches multiply, so have the rates of insurers’ “cyber premiums.” “On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that,” the report states. “Average rates for retailers surged 32% in the first half of this year, after staying flat in 2014,” the report continues. And size doesn’t matter: “Even the biggest insurers will not write policies for more than $100 million for risky customers,” the report states, noting, “That leaves companies like Target, which says its big 2013 data breach has cost $264 million, paying out of pocket.” [Reuters] [Cyber Insurance Rates To Skyrocket]

Smart Cards

HK – Cards Recalled After Security Flaw Discovered

After a security vulnerability was found in credit cards “that allows holders’ names to be read by unauthorised sources when they make contactless payments,” the Hong Kong Monetary Authority (HKMA) called for seven banks to “recall or replace” said cards. “Some of the cards issued by the seven banks do not fulfil the HKMA requirements set up in 2012 regarding contactless payment,” an authority spokesperson said. “Namely, the bank must ensure that the data stored in the card and transferrable via contactless payment must include only information essential for transaction, and not include the user’s full name.” The breach was reported to the Office of the Privacy Commissioner for Personal Data as it “may involve a leak of nonessential personal data,” the spokesperson added. [SCMP]


CA – ‘Orwellian’ Surveillance System Monitors All [Cell] Phones on Prison Grounds

Correctional Services Canada is using advanced surveillance technology to record the phone calls and texts of not just inmates, but anyone within earshot. The technology, which is similar to “stingrays” used by police in the United States, intercepts calls and texts coming from inside the prison, its parking lot, grounds and possibly even the surrounding area. In a memo, Warkworth’s warden Scott Thompson wrote after a number of deaths and overdoses, he asked Correctional Services Canada to install the technology to help catch contraband. “Unfortunately, I knew that by trying to intercept what the inmates were doing, I would also be provided with information about cellular devices being used in noninmate areas.” [Toronto Star]

CA – Ontario IPC Releases Surveillance Guidance

The Information and Privacy Commissioner of Ontario (IPC) published Guidelines for the Use of Video Surveillance in an attempt to regulate the use of surveillance and protect user privacy, the agency said in a statement. “Video footage captured by cameras is regularly used to assist in the investigation of wrongdoing,” the IPC report states. “However, the use of these surveillance technologies can put individuals’ privacy at risk. Therefore, it is important to carefully consider both whether it is appropriate to install video surveillance and how it is used.” The guidelines cover everything from “appropriate retention periods” to “notices of collection” while aiming to blend old guidance with new. “By following these guidelines, institutions can use video surveillance technologies, while protecting individuals’ privacy in accordance with their obligations under Ontario’s privacy legislation,” the report notes. [Full Story]

WW – New CCTV Cameras Surveil and Protect Privacy

Canon is experimenting with new CCTV technology that provides certain privacy protection but still records individuals in specific restricted areas. In recent demos by the company, new surveillance cameras can be programmed to watch restricted areas while blocking out individuals outside that area. Any images outside the restricted area are processed into a “pale green ghost.” Traditionally, cameras are aimed at a restricted area, but often capture peripheral images of people walking by. Canon’s new camera would avoid that, thereby helping it comply with some local privacy laws around the world. [PC World]

US – DHS Detains, Forces Mayor to Hand Over Passwords

Returning from a conference overseas, Stockton, CA, Mayor Anthony R. Silva was detained by representatives of the Department of Homeland Security who not only confiscated his electronics but also made his ability to leave their custody dependent on disclosure of the devices’ passwords. “Unfortunately, they were not willing or able to produce a search warrant or any court documents suggesting they had a legal right to take my property,” Silva said. Additionally, the mayor was informed that he had no right to have a lawyer present, the report states. “I think the American people should be extremely concerned about their personal rights and privacy,” Silva said. Anonymous sources allege his detainment was in connection to an ongoing probe, the report states. [Ars Technica]

WW – UL Working on Wearable Security, Privacy Standard

UL, formerly known as Underwriters Labs, will soon certify the safety and security of wearables and other Internet-of-Things (IoT) devices. The company, which is better known for certifying appliances for electrical safety, is currently developing draft security and privacy requirements for IoT devices and expects to launch the program in early 2016. “When we think of how wearables are used, there are a lot of different implications for security,” said UL Principal Engineer for Medical Software and System Interoperability Anura Fernando, adding UL aims to “begin to raise the bar for how security should be addressed … and establish a minimal baseline for what should be addressed much like we did with electricity 120 years ago.” [Computerworld]

Telecom / TV

US – Wireless Industry Issues New Privacy Commitments

The Wireless Association, based in Washington, DC, has issued a set of voluntary antitheft commitments for device manufacturers with the intent to protect user data while limiting the theft of smartphones. Nearly 20 wireless providers have now agreed to implement an antitheft tool, either preloaded or downloadable, to remotely wipe user data in cases of smartphone theft. The agreement also states that phones made after July 2016 will provide users with tools to disable the antitheft technology and use one of their choice. According to the report, smartphone thefts are down 2%0, likely from password protection. [ABC News]

US Government Programs

US – Audit Finds Some IRS Systems Dangerously Decrepit

According to a recent Treasury Inspector General for Tax Administration (IG) audit, some Internal Revenue Service (IRS) systems are vulnerable to data theft due to out-of-date technology. “We believe that running workstations with outdated operating systems poses significant security risks to the IRS network and data, particularly in the environment where a chain is only as strong as its weakest link,” the IG said. However, the IRS said it has made changes “to dramatically increase the velocity of upgrades while minimizing risks and costs.” The IRS also cited budget restrictions as a hindrance to technological advancement. The Obama administration has asked for a $242 million cybersecurity allotment for the IRS in its proposed 2016 budget. [The Hill]

US – Defense Department Contractors Must Report Breaches

A new rule requires many US Department of Defense (DoD) contractors to report “cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system.” The rule applies to the more than 100,000 contractors in the DoD’s Defense Industrial Base information sharing network. [The Hill] [NBC News] [Federal Register]

US Legislation

US – California Amends Definition of Personal Identifiable Information and Breach Notification Content Requirements

On October 6, 2015, California Governor Jerry Brown signed into law several changes to California’s Data Breach Notification Statute. The law, as amended, adds additional categories of information into the definition of Personal Information, such as licence plate numbers, new content requirements for data breach notifications (together with a new form that when used properly will be deemed compliant with the new requirements), and a new definition of “encryption.” The amendment becomes effective as of January 1, 2016. [Mondaq News]

US – California Governor Signs CalECPA Into Law

California Gov. Jerry Brown signed into law the California Electronic Communications Privacy Act (CalECPA), making California “the first (state) to enact a comprehensive law protecting location data, content, metadata and device searches,” Nicole Ozer, technology and civil liberties policy director at the ACLU of California told WIRED. Privacy advocates are applauding its passage, and the Electronic Frontier Foundation calls it a “significant milestone in the campaign to update computer privacy laws, which have been stuck in the 1980s,” adding it hopes the move “will lend momentum to the federal Electronic Communications Privacy Act.” [IAPP]

US – New California Law Requires Warrant to Use Stingray

California Governor Jerry Brown has signed into law a bill that requires law enforcement to obtain a warrant prior to using cell-site simulators, often referred to as stingrays. The California Electronic Communications Privacy Act has been described as having a broad scope; it does not apply to specific technologies but instead aims to protect citizens’ digital privacy. [Ars Technica]

US – House Passes Bill Calling for DHS Strategy

The House of Representatives has passed a bill “demanding that the Department of Homeland Security (DHS) develop a formal cybersecurity strategy.” The bill outlines DHS’s responsibilities for a strategy to facilitate a hub that would allow for data-sharing on federal and civilian cyber-threats. It would also require DHS to provide technical assistance and damage mitigation for organizations that suffer hacks and breaches. Meanwhile, a congressman whose data was reportedly stolen in the Office of Personnel Management hacks says his data is now being used in identity-theft attempts. [Press TV]

US – Other Legislative News


16-30 September 2015


US – OPM Confirms 5.6 Million Fingerprints Stolen in Hack

The government now says the number of compromised fingerprints illegally accessed in the second hack of the Office of Personnel Management (OPM) is five-times higher than originally thought. The government originally reported that 1.1 million fingerprints were stolen, but now the number has gone up to 5.6 million, the Department of Defense and OPM have said. The investigation of the breach by both agencies “identified archived records containing additional fingerprint data not previously analyzed,” the OPM stated. The agency downplayed the threat of the compromised biometric data, but said, “If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.” [Reuters] [Why OPM Hackers Wanted Fingerprints]

Big Data

US – UCLA Project Tackles Data

The next scholastic foray for Christen Borgman, the distinguished professor and presidential chair in information studies at UCLA, involves interdisciplinary data use and how the subject of the data impacts how it is handled, “with the aim of simplifying the complexities of data practices and challenging prevailing assumptions about the value of sharing data.” The “If data sharing is the answer, what is the question?” project aims “to provoke a much fuller and more comprehensive conversation about the diversity of data and practices, the infrastructure required to support them and the roles and responsibilities of varied stakeholders,” said Borgman, who has also written a book on the subject. [UCLA’sNewsroom]

WW – Is Data-Driven Sales Tech Crossing the Creepy Line?

The rise of data-driven tools uses predictive analysis and automation to help generate more effective sales. Burgeoning technological tools are helping companies determine those most likely to make a purchase, for example. A number of start-ups interested in automating sales departments have accumulated around $400 million in venture capital in the last two years, the report states, but some of the tools “seem creepy,” allowing salespeople, in one example, to see when a potential client reads an email and for how long the client lingers, so the salesperson can follow up during a time of potential peak interest. Meanwhile, the Center for Digital Democracy and the U.S. Public Interest Research Group are asking the FTC to protect consumers from unfair lead-generation practices. [The Wall Street Journal]

WW – Data Should Be Accessible, But Not Too Accessible

Citing an education study in which researchers were able to examine the tax returns of students to gauge their future success, scientists and privacy advocates discuss what the balance of data access and privacy ought to be. “There is … concern that the rush to use these data could pose new threats to citizens’ privacy,” the report states. “The types of protections that we’re used to thinking about have been based on the twin pillars of anonymity and informed consent, and neither of those hold in this new world,” said New York University’s Julia Lane, adding, “Difficulty in access is a feature, not a bug … It should be hard to get access to data, but it’s very important that such access be made possible.” [Nature]

WW – Behavioral-Based Premiums Makes Privacy Community Nervous

Swiss health insurance company Dacadoo’s controversial consideration of upping premiums for the lazy has the privacy community examining the move’s potential impact. “There’s no solidarity if someone who does a lot of sports and takes care of their health has to pay the same high premiums as someone who smokes, drinks and drives and does not play sports,” said Dacadoo’s Peter Ohnemus. His words point toward a U.S. trend, the report states, noting, “The proliferation of Internet-of-Things devices is already creating a market for data that could give companies more insight into the behavior of their customers—or, in the case of insurance firms, on whom to place bets.” [Ad-Age]

WW – Industry 4.0 Emphasizes IoT, Data Security

A Boston Consulting Group primer looks at the nine pillars of Industry 4.0, or “the next phase in manufacturing, known as the post-information revolution.”  The pillars span everything from cybersecurity and the Internet of Things to the cloud and big data, “all of which IT professionals must understand in order to effectively compete in the next 10-20 years,” the report states. The future of technology must include a discussion on ethical implications as well, Lisa Morgan writes forInformation Week, noting, “while organizations usually have stated privacy policies, more could be done to ensure the ethical use of data.” Meanwhile, UNESCO also considered Internet ethics during its recent consultation, West Indies News Network reports. [Business to Community]

WW – Privacy and the Rise of Artificial Intelligence

Here are the latest developments from IBM’s artificial intelligence system, better known as Watson. “I have seen the future, and it is a world of unparalleled convenience, untold marketing opportunities and zero privacy,” writes James Niccolai. The catalyst for his report is a recent event held by IBM to share what will become available to developers for constructing smarter, “cognitive” applications. With the dramatic rise in data collection, artificial intelligence will play a significant role in weeding through and making sense of the “mountains of information” to “make decisions we can no longer arrive at through traditional programming,” Niccolai writes, adding, “This isn’t big data; it’s gargantuan data.” [IDG News Service]


Lawmakers in Ontario tabled Bill 119, which would amend the Personal Health Information Act. The amendments aim to require breach reporting, loosen rules around prosecution and double fines for “snooping” by healthcare workers.

In a recent ruling, BC’s Court of Appeal has limited police access to text messages.


WW – Apple: User Experience Shouldn’t Be At Privacy’s Expense

Apple CEO Tim Cook published an open letter decrying corporations that offer their services for free while, in turn, utilizing user information for advertising profit, a move some believe to be a shot at its competitors. “A few years ago, users of Internet services began to realize that when an online service is free, you’re not the customer. You’re the product,” wrote Cook. “But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.” The letter was released with information on Apple’s privacy policy “to explain how we handle your personal information, what we do and don’t collect and why,” Cook added. [Fortune]

US – Survey Shows Consumer Security Concerns

A Parks Associates study, Privacy and Big Data: Safeguarding Consumers, indicates that Internet-of-Things security concerns are rampant among Americans, with 40% specifically concerned about the vulnerability of their smartphones. “Big data offers tremendous opportunities to enhance every aspect of business operations, but it carries a whole new level of liability and responsibility,” Parks Associates’ Brad Russell said in a media release. “Service providers, manufacturers and app developers can all build personalized value-added services based on the data generated by these devices, but first consumers need to have the confidence to use these devices. Security is the price of big data benefits.” [EINews]

WW – In-Store Tracking Continues to Grow

Retailers’ use of mobile phone-tracking continues to grow in popularity. Gleaning data in this fashion has been “cheap and easy to install, gave us continuous live data streams and had the least security and data protection issues,” said Bernard Marr, who used such tracking “to help a client understand some basics about shopper behavior in retail stores,” the report states. Indeed, “in the U.S., there is very little comprehensive regulation of privacy and data collection by nongovernmental entities,” one attorney notes, while another, Paul Lanois points out, “If enough data can be tied to an identifier over the course of time, then it would be possible of course to identify the user of the device.” [Forbes]

US – Ads That Smile Back and Big Data in the Air

Coffee company Bahio utilized a Microsoft Kinect camera in its ads to collect 42,000 facial responses. Eventually, after scanning multiple faces, “the images and taglines changed to reflect viewers’ reactions,” the report states. While critics argue that “ads like these further erode individual privacy and consumers’ ability to choose who gets their data,” David Cox of M&C Saatchi, one of the companies that developed the ad technology, disagrees. “Each interaction is given a number; that’s it,” he said. “We’re trying not to be creepy.” Meanwhile, SmartDataCollective reports that for airlines, “trillions of calculations are being number-crunched to transform this goldmine of data opportunity into real, tangible high revenue opportunities for the airlines and their frequent flyer programs.” [Quartz]

WW – “Siri, Are You Keeping My Secrets?”

Apple’s iOS release and the digital assistant therein is giving privacy advocates pause. Users no longer need to press a button to ask “Siri” a question; instead, the phone constantly listens to conversations, waiting for an opportunity to assist with things like directions—or even to tell a joke. “When you enter the realm of always-on devices, there are real privacy implications that need to be addressed,” said Marc Rotenberg of the Electronic Privacy and Information Center. Even if the user consents, he added, those nearby may not agree “to the routine recording of everything they might say.” [The Washington Post]


WW – Google Unveils Opt-Out, Auto-Spam Features

Google has unveiled two new features for Gmail. The “block sender” function allows users to block people from sending emails by automatically sending blocked emails to the spam folder. The unsubscribe feature allows users to stop receiving promotional emails without dealing with the typical “why are you leaving?” process involved in unsubscribing, essentially overriding the opt-out mechanism provided by the company sending the email. While typically that company would be responsible for the consent function, this feature changes that. The unsubscribe feature is available on Gmail’s updated Android app, the report states, but iOS users don’t have access yet. [Wired]


US – Working Group Considers Ways to Access Encrypted Data

An Obama administration working group has come up with four possible approaches that tech companies could implement that would allow law enforcement to access encrypted data. Each of the methods could be implemented, but each also has shortcomings. [Washington Post] [Washington Post] [SCMagazine]

US – White House Had Explored Smartphone Encryption Workarounds

Behind-the-scene attempts by an Obama administration working group to get tech companies to provide law enforcement with access to encrypted communications technology. Although the group said the four approaches it identified were “technically feasible,” each had drawbacks, too. According to senior officials, the potential solutions were not intended as “administration proposals” for fear of blowback, the report states. The National Security Council’s Mark Stroh said the administration “continues to welcome public discussion of this issue as we consider policy options.” While the group did not offer technical solutions, it did include guiding principles—two of which included no bulk surveillance and no “golden keys” for government access. [The Washington Post] See also: [The White House has indicated it will not seek legislation to mandate backdoors to encrypted communication services]

US – NSA Director Agrees that Encryption Key Copies Increase Likelihood of Breaches

During a Senate Intelligence Committee hearing on Thursday, September 24, NSA director Admiral Michael Rogers acknowledged that if the government holds encryption keys, there is a significantly higher risk of data breaches. Rogers was responding to a question from Senator Ron Wyden (D-Oregon). [VentureBeat]

WW – Let’s Encrypt Issues its First SSL/TLS Certificate

Let’s Encrypt, the free open source certificate authority (CA), signed its first certificate earlier this week. The project is currently in beta status. [ZDNet] [The Register] [ComputerWorld]

WW – Encryption Now a Part of, Facebook’s free web services platform for developing countries, now boasts encryption—a 180-degree turn from May announcements that the program would operate without it. “ is pledging not to store any data on how people actually use the services,” the report states. “In its new data retention policy, the service promises to only store domain name information and the amount of data used, along with device information that would be visible even if the traffic were encrypted.” While “more detailed information will still be visible to,” the report adds, “the platform says it won’t collect that data.” [The Verge]

EU Developments

EU – Safe Harbor Invalid, Says Top EU Court’s Advocate General

There has been a major development in the closely watched Schrems v Data Protection Commissioner case now in front of the European Court of Justice (ECJ): The ECJ’s Advocate General, charged with providing reasoned and impartial opinions to the court for its consideration, has delivered an opinion saying not only that the Irish Data Protection Commissioner has the right to investigate Facebook’s data transfers regardless of the Safe Harbor agreement, but also that the Safe Harbor agreement itself is “invalid,” due to the law-enforcement access to EU citizen data revealed by Edward Snowden. Denis Kelleher writes for Privacy Tracker about why this makes the Schrems case very interesting, indeed. [] See also: [BCRs Looking Good After Safe Harbor Opinion? Here’s Some Help]

EU – Schrems Reacts to Advocate General’s Opinion

It’s been a long road for Austrian student Max Schrems’ group Europe v. Facebook, but today, Schrems is celebrating. European Court of Justice (ECJ) Advocate General Yves Bot has issued his opinion in a case originally filed by Schrems alleging the U.S. National Security Agency collected Europeans’ data via Facebook in violation of EU law, and it looks like Schrems’ work may not have been in vain. Bot agrees with Schrems, it seems, and his opinion could mean big trouble for data transfers from the EU to the U.S under Safe Harbor—especially without changes to the role mass surveillance systems play in data access. [] See also: [EU What’s Next for Safe Harbor?]

EU – 50 EU Parliamentarians Send U.S. Letter on “Digital Protectionism”

Fifty members of the European Parliament have released an open letter directed at the U.S. refuting claims, including by President Barack Obama, that the EU is engaging in “digital protectionism.” The letter states, “While we admire the dynamism and success of Silicon Valley, we trust in Europe’s ability to foster talent, creativity and entrepreneurship. The acronym ‘GAFA’ is not one we ever use, and we do not see legislation as a way to manage the growth of companies.” GAFA stands for Google, Apple, Facebook and Amazon, and has been used as a term to describe American imperialism, according to a Quartz report from 2014. Meanwhile, MEP Viviane Reding opines on the EU-U.S. Umbrella Agreement. [ZDNet]

EU – Privacy Commission: Don’t Be Intimidated by Facebook

An attorney for the Belgium Privacy Commission told a judge not to be intimidated by Facebook in a case in which the commission is trying to require the company to change its privacy policy for Belgian citizens. “Don’t be intimidated by Facebook,” said a commission official. “They will argue our demands cannot be implemented in Belgium alone,” he said, adding, “Our demands can be perfectly implemented just in this country.” An attorney for Facebook queried, “How could Facebook be subject to Belgian law if the management of data gathering is being done by Facebook Ireland and its 900 employees in that country?” [Bloomberg Business]

EU – CNIL Rejects Google’s RTBF Appeal

The French data protection authority, the CNIL, has rejected an appeal by Google on the so-called right to be forgotten. The CNIL has ordered Google to apply the decision to honor European takedown requests across all its websites, not just EU-based ones. The CNIL wrote, “Contrary to what Google has stated, this decision does not show any willingness on the part of the CNIL to apply French law extraterritorially … It simply requests full observance of European legislation by non-European players offering their services in Europe.” Google, which could now face fines up to $340,000, said it disagrees with the CNIL, adding, “We’ve worked hard to implement the right-to-be-forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so.”[The New York Times]

EU – Media Orgs Object to CNIL’s May RTBF Order

The Reporters Committee for Freedom of the Press, alongside 29 other U.S. media organizations, sent a letter to French privacy regulators (CNIL) objecting to its May order that Google expand its Right To Be Forgotten delisting to all global iterations of the site. This, said the letter, is an “unacceptable interference with what people in other nations can post and read on the Internet.” The letter, according to the report, comes as CNIL considers whether to appoint a special rapporteur to respond to Google’s refusal to abide by its order. “We want to see the Internet as free and open as possible,” said Reporters Committee Executive Director Bruce Brown. “The order interferes with that.” [Columbia Journalism Review]

Research from Queen Mary University of London’s School of Law and lawyers at Pinsent Masons indicates the General Data Protection Regulation (GDPR) “will require big improvements to organisations’ computer security.”

The GDPR’s implications for protecting employee data is analyzed.

Amendments to Germany’s telecommunications law to meet the need for expanded WiFi access has privacy advocates and others concerned.

Facts & Stats

WW – Security Spending to Top $75 Billion

A new report from Gartner forecasts that security spending across the globe will reach approximately $75.4 billion in 2015, in large part driven by government initiatives, legislation and massive data breaches. “Interest in security technologies is increasingly driven by elements of digital business, particularly the cloud, mobile computing and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks,” said Gartner Research Analyst Elizabeth Kim. She also said organizations are investing in endpoint detection, remediation and cloud security tools and threat intelligence. [ZDNet]

US – Getting Data Protection Wrong a Costly Mistake

The cost of post-breach clean-up is growing in severity, and it can act as a powerful motivator for companies to get data protection right. “U.S. businesses didn’t need another reason to get very serious, very quickly, about cybersecurity, but now they have one,” said STEALTHbits’ Jeff Hill. “Add the cost of litigation in an increasingly hostile legal environment to the list of unsettling data breach consequences that already includes reputation loss, customer exodus, embarrassment and federal government fines.” The report comes on the heels of a Kaspersky Lab survey that found small businesses need a budget of at least $38,000 to be able to handle breaches. [ InfoWorld]


TH – Thai Single Gateway Plan Criticized

Thailand’s government is facing public outcry over its plan to establish a single Internet gateway for the country. Opponents of the plan say it will slow down Internet service and could cause enormous problems if it were to fail. They also noted that it would likely discourage foreign companies from doing business in Thailand. [ZDNet]


US – New Data Breach Guidance from PCI SSC

The Payment Card Industry Security Standards Council (PCI SSC) has published guidance for organizations to handle data breaches effectively and with minimal financial consequence. “Prevention, detection and response are always going to be the three legs of data protection,” said Stephen W. Orfei, PCI SSC general manager. “Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it.” The guidance may prove timely for organizations looking to avoid expensive breach claims, which a NetDiligence study found averaged $4.8 million in 2015 for large companies. []

WW – Survey: Cybersecurity Experts Happy to Make Mobile Payments Despite Risks

According to a recent survey of 900 cybersecurity experts, 87% expect an increase in mobile payment data breaches over the next 12 months, but 42% have used the payment method in 2015. The 2015 Mobile Payment Security Study by ISACA indicates cybersecurity professionals, while aware of the risks, are willing to balance the benefits of mobile payments, the report states. “ISACA members, who are some of the most cyber-aware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risks,” said ISACA’s John Pironti in a media release, adding risks shouldn’t slow down mobile payment adoption as long as they are properly managed. [Full Story]

US – SEC Fines Investment Firm $75,000

Missouri-based investment firm R.T. Jones Capital Equities Management has agreed to settle with the SEC and pay $75,000 over charges that it did not have a cybersecurity policy in place prior to a data breach that compromised the personal information of 100,000 individuals. During a four-year period, the firm stored the sensitive data on a third-party server, which was eventually breached in 2013. The SEC alleged the company never had any cybersecurity polies or procedures in place and did not conduct risk assessments or implement any security protections like firewalls or encryption. McDermott Will & Emery’s Eugene Goldman said, “This is the start of a series of similar actions that will be brought this year and next.” [InvestmentNews]

US – EMV Implementation is Chip-and-Signature, Not Chip-and-PIN

As of October 1, 2015, US retailers were supposed to have adopted technology that allows them to accept chip-and-PIN payment cards. The technology, also known as EMV (for EuroPay, MasterCard, Visa), aims to provide stronger security for payment card transactions. However, what has been implemented in the US is chip-and-signature instead of chip-and-PIN. Not requiring cardholders to enter a PIN to verify purchases diminishes the security of those transactions. [SC Magazine] [CNET]


US – UC Berkeley First to Release Transparency Report

The University of California-Berkeley, is now the first U.S. university to have published a set of transparency reports on government data requests. The reports outline requests on student, faculty and staff data. Berkeley has stressed the importance of digital privacy on campus for some time. It’s got 37,000 students and up to 100,000 devices potentially connected to its network at any time. The school sometimes handles law enforcement data requests, and its new report explains how, with processes that include a request form to be reviewed by the school’s privacy office before being approved or denied. [Slate]


US – Genetic Database Privacy Questions Remain

A National Institute of Health (NIH) Advisory Group’s recommendations on the Precision Medicine Initiative (PMI) genetic data database indicate a “thoughtfulness and thoroughness” regarding the project’s privacy sensitivity, but “significant questions” remain, the American Civil Liberty Union’s Jay Stanley writes. “It does not look as though this will be an airtight, privacy-protective system where subjects’ data will be technologically guaranteed private,” Stanley writes, noting “the cybersecurity questions are considerable. A fair amount of trust will have to be placed by participants in those who run this program.” He also recommends PMI “be studied and analyzed closely by privacy advocates.” [Free Future]

Health / Medical

US – Hackers Are Focused on Health; Employee Error Concerns Persist

A Raytheon/Websense Security Labs study has found that health services combat 340% more cyber-attacks than other types of organizations. “It’s clear that with the amount of personally identifiable and proprietary information available and inherent as part of the healthcare industry, it will remain an attractive target to attackers and a potential weak point for untrained employees,” said the survey’s authors. However, a new survey by Scrypt has found that the primary “concern in terms of HIPAA breach potential within healthcare organizations is around staff or human error.” Executive Insight offers tips on getting healthcare security right, with one PR professional noting, “If patient data is breached, the hospital’s reputation is immediately jeopardized.” Meanwhile, a CNNreport indicates that some organizations’ wellness programs may not protect employees’ privacy. [FierceHealthIT]

US – Fitbit Now HIPAA-Compliant

Fitbit devices are now HIPAA-compliant. “We have gone through a third-party audit and we are now HIPAA-compliant as an organization,” said Fitbit Wellness Vice President and General Manager Amy Donough, adding that enables the company to “be able to sign business associate agreements and work with covered entities … We’ll be able to more deeply integrate and partner with some of these organizations to be able to have more effective and more engaging wellness programs.” Donough noted that while personal health information isn’t “the information we share or create today … it will become important as we continue to grow.” [MobiHealthNews]

Horror Stories

US – T-Mobile Customer Data Compromised in Experian Breach

A breach of an Experian database affects 15 million US T-Mobile customers. Experian processes credit checks for T-Mobile customers. The compromised data include names and Social Security numbers (SSNs) but not financial account information. The breach affects data collected between September 1, 2013 and September 16, 2015. [The Hill] [The Register] [Wired]

UK – Millions of Nuisance Calls Result in Record Fine

The Information Commissioner’s Office has fined Home Energy & Lifestyle Management (Helms) 200,000 GBP, a record amount, for making six million nuisance calls. “This is a clear breach of the rules. The data controller—the company—has to take responsibility for this,” said Information Commissioner Christopher Graham, who indicated “companies should make their directors personally liable for breaches,” the report states. However, Helms maintains that the third party in its employ that made that calls was at fault. Helms “always accepted they were responsible,” an attorney for Helms said, adding, “But there is a distinction between a deliberate act and a negligent act.” Helms plans to appeal the decision. [The Telegraph]

WW – Hotels, Healthcare Orgs Report Breaches

The Trump Hotel Collection has announced point-of-sales systems at seven of its hotels in the U.S. and Canada “were infected with malware, potentially affecting an unspecified number of customers.” Information including account numbers, security codes and cardholder names “of individuals who used a payment card at the hotel between May 19, 2014, and June 2, 2015, may have been affected,” Trump Hotels has said. Meanwhile, Palo Alto VA Health Care System reportedly “unlawfully gave patient data to a private IT company despite employees not having cleared background checks,” and “16,000 people are being notified of a major risk to their private health information following an email attack” on Oakland Family Services, a Michigan-based nonprofit. [BankInfoSecurity]

US – Kardashian’s Site Security Flaw Left 600,000 Vulnerable

A curious developer discovered an unprotected API on one of the Kardashian sisters’ new websites, which not only left upwards of 600,000 users’ personal information vulnerable, but also gave the interloper the ability to manipulate data. The 19-year-old developer, Alaxic Smith, promptly reported the issue to the site’s creator, Whalerock, which patched the hole. “Our logs indicate that (Smith) was able to access only a limited set of names and email addresses,” Whalerock said in a statement. “No one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data.” However, “the company is still in the process of validating what data was breached, and what, if any, data was actually saved or archived by Smith himself,” the report continues. [Tech Crunch]

Internet / WWW

WW – UN Report Proposes Stricter Internet Regulation

A newly released report from the United Nations’ Broadband Commission for Digital Development is titled “Cyber Violence Against Women and Girls: A World-Wide Wake-Up Call.“ The report declares online violence against women and girls, or “cyber VAWG,” a “problem of pandemic proportion.” Dewey agrees with this assessment but disagrees with the report’s recommendations that countries around the world enact regulations that would hold Internet companies like social media sites and chat rooms responsible for the content created on them and only “license” those sites that agree to heavily moderate the content they host. [The Washington Post]

US – US and China Announce Cyber Espionage Agreement

At a press conference last week, US President Obama and Chinese President Xi Jinxing announced that they had reached a “common understanding” regarding cyber espionage. The leaders agreed that both countries will not “conduct or knowingly support cyber-enabled threat of intellectual property.” There is skepticism that the agreement will result in change. [SC Magazine] [Wired] [DarkReading]

WW – Cybersecurity Pact With China Lauded

The agreement between Chinese and American heads of state to view online issues with increased gravity was a wise move. “They made some significant progress in doing this,” said James Lewis of the Center for Strategic and International Studies. The two administrations also pledged to create a group to track their cooperation in responding to cybercrime as well as a hotline “to resolve disputes over sharing information related to those crimes,” the report states. [The Daily Dot] SEE ALSO: [China Focus Could Spawn Future Issues]

US – CISA Stance Clarified

After Salesforce received criticism for signing a letter that some interpreted to be a support of the controversial CISA cybersecurity information-sharing bill, Salesforce’s CEO clarified the company’s stance via Twitter.


WW – Roomba 980 Can Now Map Your House

The company behind Roomba, iRobot, has a new offering: the Roomba 980, which comes equipped with a camera and software that allows the device to gradually map its location. “Being able to localize in the environment is a foundational capability,” said iRobot’s Chris Jones. “You can imagine the day when a robot in the home can perceive and understand salient objects in the environment—that’s a couch, that’s my oven—that type of thing.” The company is wise to privacy questions around the new offering. “A representative explains that the maps are not transmitted from Roomba, and they are deleted after the robot finishes cleaning a room,” the report states. [MIT Technology Review]

WW – Getting the “Drops” on Reshipping

With so many retailers now refusing to ship to Russia or Eastern Europe because of the endemic of organized cybercrime, how do these cyber-thieves use the credit card numbers they’ve stolen? The answer is “reshipping,” a practice documented in the report “Drops for Stuff,” newly released and written by eight security researchers. How does it work? “Operators” recruit “drops” to receive goods and then reship them to “stuffers” who then sell them on the black market. This allows cybercriminals to turn a $10 purchase of a stolen card into $700 in black market cash. [KrebsonSecurity]

The Electronic Privacy Information Center has filed a Freedom of Information Act lawsuit against the U.S. Coast Guard and the Department of Homeland Security over a program that tracks and records boaters’ locations.

Online Privacy

WW – App Pays $11 Per Month To Track Users

Data collection start-up Symphony Advanced Media has released a video-tracking app that will pay users $11 per month to let it track all of their video viewing habits. VideoPulse uses a passive-listening program that hears what a user is watching in order to track it. The goal is to accurately gauge video analytics—an oft-debated issue in media circles, the report states. “There has been a significant void in understanding how consumers are using nontraditional media platforms, but innovation has finally arrived in the media measurement space,” said Symphony Advanced Media CEO Charles Buchwalter. The app currently has approximately 15,000 users and is being tested by several companies, including NBC, Viacom, Warner Bros. and A&E Networks. [Mashable]

US – EFF Announces Adzerk Will Honor DNT

Advertising company Adzerk, whose clients include Reddit, Stackexchange and Bittorrent, pledged to both respect user do-not-track requests and not have their ads “blocked by the major ad-blocking software.” “Blocking interfaces in browsers and operating systems are not only necessary for user freedom, security and privacy, but they are actually beginning to produce genuine improvements in the practices of the advertising industry,” said the Electronic Frontier Foundation’s Peter Eckersley and Alan Toner in a statement. “Apple should be congratulated for helping to make this happen, and those who are fearful about the future of the advertising-funded web should join us, Adzerk and other companies in helping to ensure that there are fewer reasons for users to need to block ads in the first place.” [BoingBoing]

WW – “Like” Button Data To Determine Ads

Facebook has announced it will use data gleaned from its “Like” buttons to tailor specific ads to users. “After the change, the types of sites you visit could be used to tune ads shown to you inside Facebook’s social networking service, its photo-sharing service Instagram and mobile apps that use Facebook’s ad network,” the report states. Facebook has also announced an opt-out for the ads, but the Electronic Frontier Foundation’s Rainey Reitman said, “Promising not to use information is not the same as promising to actually delete the data. The ‘Like’ data is especially problematic. Most people probably don’t even realize that whenever they load a page with a ‘Like’ button on it, Facebook gets a little information on them.” [Technology Review]

WW – Apple Updates Privacy Policy

Everyone, regardless of what devices they use, “should take a look at the latest edition of Apple’s privacy policy.” The policy, which includes details about data collection, “is a shining example of how easy to understand, transparent and clear such a document should be. It sets a bar other tech firms should follow,” the report states. [Computerworld] SEE ALSO: [Do Simpler Privacy Policies Invite More Outrage? ] and [Should Privacy Policies List Marketing Partners?]

WW – Microsoft Responds to Windows 10 Concerns

Microsoft’s responded to privacy concerns about Windows 10. In a blog post , Microsoft’s Terry Myerson details the ways Windows 10 gathers and uses data, the report states. Myerson notes “Windows 10 collects information so the product will work better for you,” adding that users “are in control with the ability to determine what information is collected.” [The Verge] See also: [Microsoft’s Smith: Privacy and Security Balance Necessary] See also: [Microsoft Executive Vice President and General Counsel Brad Smith talks about the ongoing litigation with the U.S. Department of Justice over emails stored in Ireland and the importance of security equilibrium]

WW – IBM Releases Cloud Security Enforcer

IBM has released new cloud security technology that aims to help protect organizations from risks associated with the rise of “bring-your-own cloud apps.” Research conducted by IBM indicates “one-third of employees at Fortune 1000 companies are sharing and uploading corporate data on third-party cloud apps,” the report states. At the same time, they’re using weak passwords or signing in using personal email addresses. Given such risks, IBM’s Cloud Security Enforcer allows companies to see all the third-party cloud apps employees are using, “provides a secure way to access them and enables companies to control which corporate data can and cannot be shared with the apps.” [eWeek]

Other Jurisdictions

IN – Tech Leaders Urged to Ask Modi to Rethink Privacy

As Indian Prime Minister Narendra Modi travels to meet with the leaders of American tech powerhouses such as Apple CEO Tim Cook, many are calling for them to encourage Modi’s ideas for “Digital India” toward a greater respect of citizens’ privacy rights. Modi aims to use the trip “to showcase what a big market India is,” said Arvind Gupta of Modi’s Bharatiya Janata Party. However, Modi’s “Digital India project does not rest on a legal framework that respects privacy and sensitive information,” said Stanford’s Thomas Blom Hansen. “While India presents significant business opportunities, CEOs should tell Modi that they will oppose any steps that erode free expression or privacy rights,” said Human Rights Watch’s Brad Adams. [The Washington Post] After much criticism, India’s government has pulled its draft encryption legislation.

RU – Russian Court Fines Google Over Alleged Privacy Violation

A Moscow city court has fined Google nearly 800,000 euros (50,000 rubles) for allegedly violating the privacy of a Russian citizen through its targeted advertising. The Russian citizen sued the company for illegally reading his emails, but Google says its advertising is operated by an automated system. “Humans are not reading your emails,” Google told AFP, adding, “Our automated system scans emails in order to prevent spam reaching your inbox and to detect bad things like malware.” The decision could open the doors for more similar actions against the company. [AFP] [A Moscow city court has fined Google nearly 800,000 euros for allegedly violating the privacy of a Russian citizen through its targeted advertising.]

Qatar has reinforced its cybercrime law with the government’s approval of “an amendment that criminalizes photographing those who are injured or killed in accidents and posting them on social media.”

Australian MPs Terri Butler and Tim Watts have released a draft bill that would make revenge porn a federal crime.

The governments of Australia and South Korea have “signed a blueprint of defence and security cooperation between the two nations.”

Privacy (US)

US – Brill Calls for Advertisers to Be Upfront With Consumers

At the Better Business Bureau’s National Advertising Division Annual Conference, Federal Trade Commissioner Julie Brill used her keynote address to discuss the need for organizations to respect user privacy as they employ new advertising techniques such as tracking and data-sharing. “Advertising has become one of the most technologically advanced and data-driven industries in our economy,” Brill said. “However, it is not enough that companies communicate with and provide choices to consumers regarding retail mobile location tracking. They must also be truthful about these choices.” She also pushed for greater opt-out abilities for data-sharing online. “After all these years, consumers still don’t understand what’s happening with their personal information,” she said, “and they continue to struggle to control targeted advertising and data collection.” []

US – “Unfair Methods of Competition” Statement Prompts Concerns

In a blog post, the Phoenix Center’s Lawrence J. Spiwak echoes Federal Trade Commissioner Maureen Ohlhausen’s sentiments on the FTC’s recently released Statement of Enforcement Principles Regarding ‘Unfair Methods of Competition’ Under Section 5 of the FTC Act, contending, “The FTC’s conduct in this case was certainly not an example of good government.” The next steps? “While the FTC deserves kudos for at least attempting to move the ball forward … my recommendation is that before we go too far down the road … prudence would dictate that we go back to the drawing board,” Spiwak writes, adding, “the American public deserve a well-reasoned and cohesive approach to Section 5’s unfair methods of competition standard.” [The Hill]

US – Comcast Settles With California for $33 million for Privacy Violations

Comcast has agreed to a $33 million settlement with the California Department of Justice and the California Public Utilities Commission for posting personal details online of customers who had paid for unlisted voice-over-Internet-protocol phone service. Comcast will pay $25 million to the two departments, $8 million in restitution to the 75,000 affected customers and has agreed to a permanent injunction mandating it strengthen rules on vendors that process personal information and provide additional monetary relief to customers “who have identified personal safety concerns” stemming from the disclosure of their data. “This settlement provides meaningful relief to victims (and) brings greater transparency to Comcast’s privacy practices,” said California Attorney General Kamala Harris. [Reuters]

US – Candidate Websites Fail Privacy Test

An Online Trust Alliance (OTA) survey of the 23 presidential candidates’ websites found that only six candidates protect basic user privacy. While cybersecurity ratings were high across the board, the omissions were dubbed “alarming” by the group, which found that some candidates’ sites didn’t have privacy policies posted. “One of them will be our next president,” said the OTA’s Craig Spiezle. Not all findings were doom and gloom, however. “Six candidates were lauded because they pledged in their privacy policies not to share personal information without users’ permission or a court order: Republicans Jeb Bush, Chris Christie, Rick Santorum and Scott Walker, and Democrats Lincoln Chafee and Martin O’Malley,” the report states. [The Wall Street Journal]

US – IA PP-EY Annual Privacy Governance Report 2015

Privacy, still nascent a decade ago, now employs thousands of professionals across the gamut of organizational structures and around the world. Yet there is still relatively little data about how the work of privacy is done. To that end, IAPP and EY surveyed a broad spectrum of organizations to document privacy governance—literally, how privacy is done. Today, we share the findings—the most comprehensive look at the structure and “how” of privacy governance we’ve ever released. At more than 150 pages, it is a document full of deep data and interesting trends, including looks at differing approaches taken by industry, by size of company, by maturity of program and by region of the world. Dive in. [

US – Schneier: Tech Needs Increased Regulation

As new technologies employ facial recognition and surveillance flourishes, more regulatory strides must be made, Bruce Schneier writes. “Despite protests from industry, we need to regulate this budding industry,” he notes. “We need limitations on how our images can be collected without our knowledge or consent, and on how they can be used.” Meanwhile, payment-processing company Worldpay has announced a prototype for a chip-and-pin terminal that “takes a photo of a shop customer’s face the first time they use it and then references the image to verify their identity on subsequent transactions,” a move that has inspired privacy concerns. [Forbes]

US – OIG: OCR Has Room for Improvement

After conducting two different reports, the Office of the Inspector General (OIG) has found the Office for Civil Rights (OCR) has “room for improvement” in both HIPAA compliance and post-breach procedures. “OCR had not announced when it will begin its permanent audit program,” the OIG said in its first study. “Without fully implementing such a program, OCR cannot proactively identify covered entities that are noncompliant with the privacy standards.” The second study found that over one third of OCR employees failed to ensure that covered entities “had reported prior large breaches” and called for the agency to “develop an efficient method in its case-tracking system.” Meanwhile, theOCR has announced that Phase 2 of HIPAA audits will begin in early 2016. [HealthIT Security]

US – IAPP Privacy Innovation Award Winners Announced

The winners of the 2015 IAPP Privacy Vanguard Award and the 13th Annual HP-IAPP Privacy Innovation Awards were honored for their work in the privacy field. Hogan Lovells Partner and Director of the Privacy and Information Management Practice and Co-Chair of the Future of Privacy Forum Christopher Wolf was recognized with this year’s IAPP Privacy Vanguard Award and hailed as a trailblazer in the privacy profession and a “Dean of the Industry.” Three organizations were honored with the HP-IAPP Privacy Innovation Awards in the large, small and innovative privacy technology categories: Intuit, TeleSign and AirWatch by VMware. The Privacy Advisor has all the details. [Full Story]

US – LinkedIn Settlement Approved

U.S. District Court Judge Edward Davila has given LinkedIn’s proposed $1.25 million settlement of a 2012 class-action suit final approval. The “plaintiffs’ claim does not assert that class members were necessarily harmed by the data breach, but that they overpaid for their premium LinkedIn subscription because they did not receive promised data security,” Davila noted in his opinion. “The deal requires LinkedIn to pay approximately $15 each to almost 50,000 users who purchased premium memberships to the service,” the report states, adding the company “must use security techniques including ‘salting’ and ‘hashing’ for at least five years.” [Media Post]

US – Proposed Seattle Budget Includes Funding for CPO

In his 2016 budget proposal, Seattle Mayor Ed Murray has included a request for funding for a chief privacy officer position. The new CPO would “address potential privacy concerns and safeguard personal data,” the report states. Seattle hired a chief technology officer in 2014 to oversee a privacy overhaul. The city also appointed a Privacy Advisory Committee and, based on guidance from that committee, created a citywide privacy policy. Murray is also seeking funding for police body cameras, the report states. “We will work carefully to get this right and adequately address privacy concerns” Murray said of the plan for body-worn cameras. [Geekwire]

US – Senators Want Update From Car Manufacturers

Sens. Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking for an update on their efforts to protect consumers from the privacy risks presented by smart cars. The two launched an investigation into the matter in 2013, asking manufacturers to answer questions on consumer privacy and security, and Markey published a subsequent report outlining hacking and data collection risks. Now, the senators want an update on “company-specific information” that includes 2015 and 2016 vehicles, with any changes that may have been made to vehicles, policies or practices since Markey’s initial inquiry. The senators request the companies respond no later than October 16. [Multichannel News]

US – Parents Unfamiliar with Current Laws: Survey

A Future of Privacy Forum (FPF) survey found that while a majority of parents are concerned about the theft of their children’s academic data, more than half claim to have no knowledge of existing privacy legislation. The FPF reports that 87% of parents “worry about student data being hacked or stolen” but “54% say they know nothing about existing federal laws regulating the use of student data,” which may account for the 57% who are in favor of new privacy legislation. “This survey makes it clear that we must do a better job of explaining to parents how their children benefit from improving the effectiveness of education products based on things learned in the classroom,” said FPF Executive Director Jules Polonetsky. “And parents want a commitment that their student data will never be exploited. I think that’s a commitment they deserve. [Full Story]

US – Court Dismisses AOL Suit

The U.S. District Court for the Northern District of California has dismissed a class-action that alleged AOL violated the Telephone Consumer Protection Act (TCPA) “when users of its Instant Messenger service sent text messages to incorrect recipients.”  The decision is one of the first to evaluate claims under the FCC omnibus TCPA order “offering guidance on numerous issues, including the types of equipment subject to TCPA restrictions and the statute’s application to social app petitioners for text messages sent using their services,” the report states. The court found “the omnibus TCPA order reinforced prior FCC decisions that supported AOL’s arguments for dismissal,” the report states. [Inside Counsel]

U.S. District Court Judge Edward Davila has given LinkedIn’s proposed $1.25 million settlement of a 2012 class-action suit final approval.

Inching a step closer toward a major law enforcement agreement with the European Union, the U.S. House Judiciary Committee approved a bill that would give European citizens a right to sue in U.S. courts if their personal data is misused.

The recent IRS breach affecting more than 300,000 individuals has inspired the Senate Finance Committee to develop bipartisan taxpayer identity-fraud legislation, which will be debated.

Sens. Edward Markey (D-MA) and Richard Blumenthal (D-CT) have sent letters to 18 automakers asking for an update on their efforts to protect consumers from the privacy risks presented by smart cars.

A federal judge has granted class-action status to lawsuits by financial institutions that were victims of Target’s 2013 breach. “

Privacy Enhancing Technologies (PETs)

WW – Security-Minded Blackphone 2 Ready for Preorder

Amidst news this week about privacy-focused smartphones heading to market, Sikur GranitePhone is now available for preorder. The phone aims to connect users while guarding their privacy, which Sikur CEO Frederico d’Avila said popular smartphones do not do adequately, the report states. “They do not always care about security,” d’Avila said, adding, “That’s why we came to that place, to help the customer to have that right solution for their privacy. They’re not looking to security as we do, because we’re living for that.” The recent smartphone announcements come as some analysts question mobile data tracking’s impact on user privacy. [CNET]

WW – Two New Privacy-Focused Phones on the Market

Those who place a premium on private mobile calling and surfing have two new options this fall. First up is the second release from Silent Circle, the Blackphone 2. The Android-powered device features the Silent OS, an “Enterprise space” for companies to cordon off company data from personal data and peer-to-peer encrypted voice and video, among other features. It’s now available to order for $799. Blackberry has announced it will release an Android-powered phone it’s calling the Priv, which “combines the best of BlackBerry security and productivity with the expansive mobile application ecosystem available on the Android platform.” No word on price yet. [9to5Google]

WW – Secure Messaging App Use Booms

Telegram Founder Pavel Durov announced at TechCrunch Disrupt SF that the encrypted messaging service has gone from a billion messages exchanged per day to 12 billion in eight months. This, he argues, indicates privacy’s growing importance in the eyes of consumers—and companies. “Privacy is not something that is relevant only to business users, but businesses are most affected because they could be blackmailed,” he said. The app’s growing appeal has even attracted terrorist groups, the report states. When asked if that is reason for concern, Durov said, “That’s a very good question, but I think that privacy, ultimately, and our right for privacy is more important than our fear of bad things happening, like terrorism.” Meanwhile, G Data has announced “Secure Chat,” a free “tap-proof” messaging app for Android. [TechCrunch]

WW – Security Tool Strengthens Online Anonymity

The Dissent is a cryptographically backed network that, when used in conjunction with the Tor network, can markedly improve online anonymity. Dissent uses a DC-net, first proposed by a cryptographer in 1988. Though its performance is much slower than Tor, it is a more effective alternative for achieving online anonymity. “One of the most important things to understand about Dissent,” said project lead Bryan Ford, “is that it’s not going to be a drop-in replacement for Tor, at least not in its current form.” One possible use for Dissent, the report states, “would be to create a privacy-preserving WiFi networking layer.” [Motherboard]

US – UJO: Privacy’s Newest Attack Dog

Thanks to the new device CUJO, users can see when their data is being tampered with. Named after the canine antagonist in the Stephen King novel, the tool functions as a guard dog of sorts, keeping tabs on “how much data, the type of data, and where it’s going,” the reports states. “If it detects an anomaly, it will alert you on the physical product as well as through an app notification,” with the position of the device’s LED “eyes” an indicator if something’s amiss. [Fast Co Design]


US – Hoofnagle Examines FTC’s TRENDnet Case

“The FTC’s matter against TRENDnet is especially important for the emerging Internet of Things,” UC Berkeley’s Chris Hoofnagle writes. After TRENDnet-produced SecurView cameras were hacked and live feeds were shared publicly, the FTC “sought to have TRENDnet answer the question of whether it can be trusted by consumers,” Hoofnagle writes, adding, “when one reads the TRENDnet 2014 report, more questions are raised than answered.” TRENDnet’s report indicates “several weaknesses of the FTC’s assessment approach to oversight. The TRENDnet report—and reports filed by other companies—are full of confusing jargon,” Hoofnagle writes. And with TRENDnet’s report “just one of over 100 such reports that the FTC is receiving nowadays under its supervision of data privacy and security cases,” Hoofnagle writes, the agency “cannot effectively supervise all the companies under consent decree.” [Full Story] SEE ALSO: [IoT Needs Privacy and Security? Hogwash]

US – DARPA Seeking Research Proposals for Analysis of Involuntary Analog Emissions

The Pentagon’s Defense Advanced Research Projects Agency (DARPA) is looking for technology capable of monitoring Internet connected devices like refrigerators and thermostats, often referred to as the Internet of Things (IoT). Specifically, DARPA is seeking “algorithms, tools, and devices for mapping analog emissions of digital devices.” [NextGov] [FBO]


US – Survey: Confidence in Security Investments Is Low

More than 80% of respondents to EMA Research’s 2015 State of File Collaboration Security survey “admitted that there have been data leakage incidents in their organizations,” with only 16% espousing high levels of confidence in their cloud system security. “Data dissemination and file collaboration are natural parts of most business and operational workflows, so security must be an integral part of the workflow to protect information,” said EMA’s David Monahan. “Unfortunately, protecting sensitive and regulated data within shared files remains a significant exposure within many organizations,” he said, adding, the “lack of capability to control unstructured data … will not only yield more data privacy breaches but will impact the adoption of advanced enterprise and cloud content management systems.” [Infosecurity Magazine]

EU – Ansip Announces Awareness Campaign

European Commission (EC) Vice-President for the Digital Single Market Andrus Ansip announced via blog post that the EC will begin a cybersecurity awareness campaign that aims to increase online security knowledge. The program includes “over 150 promotional events and activities to take place in 27 countries, with the goal of educating people about protection from digital criminals,” the report states. “People will hesitate to use e-services if they are not confident that they are reliable, safe and secure,” Ansip said. “They may actually choose not to use them at all,” and thus “we have to stay one step ahead.” [Billboard]

US – Audit Finds MIDAS Severely Vulnerable

The Department of Health and Human Services (HHS) has discovered that MIDAS, “the central electronic storehouse for information collected under President Barack Obama’s healthcare law,” has 135 system vulnerabilities, “of which nearly two dozen were classified as potentially severe or catastrophic.” “It sounds like a gold mine for ID thieves,” said the Electronic Frontier Foundation’s Jeremy Gillula. “I’m kind of surprised that this information was never compromised.” Medicare’s Andy Slavitt said “the privacy and security of consumers’ personally identifiable information are a top priority” and the problems were immediately addressed. “But,” the report states, “the episode raises questions about the government’s ability to protect a vast new database at a time when cyber-attacks are becoming bolder.” [ABC News]

US – Pentagon Issues Guidance on Breach Notices

Following the major hacks at the Office of Personnel Management, the Pentagon has issued guidance to the Department of Defense (DoD) “on considerations for making public announcements regarding breaches of private information.” In a letter, Michael Rhodes, senior official for privacy at the DoD, said the department “must continue its efforts to promote a culture to continuously ‘think privacy’ and act swiftly to develop and implement effective breach mitigation plans, when necessary.” Rhodes added that no two breaches are alike, so case-by-base analysis as well as “the use of best judgment is required for effective breach management.” [FEDweek]

US – President: “Basic International Framework” Needed

U.S. President Barack Obama has called for a “basic international framework” on cybersecurity. As Chinese President Xi Jinping’s Washington, DC, trip nears, Obama said the U.S. aims to illustrate that “economic cyber attacks” are “something that will put significant strains on a bilateral relationship if not resolved and that we are prepared to take some countervailing actions.” This comes on the heels of a revelation that China’s government “distributed a document to some American tech companies” asking they “pledge their commitment to contentious policies that could require them” to hand over user data, The New York Times reports. And Tech Times reports the Chinese government is allegedly constructing a Facebook-esque catalogue of U.S. officials. [Reuters]

US – Docs Illustrate the Days After the Target Breach

Target’s actions immediately following its 2013 breach. Days after the breach exposed 40 million customer debit and credit card accounts, the company hired Verizon security experts to look for system vulnerabilities. The results of that investigation, which haven’t been publicly revealed until now, confirm “what pundits have long suspected,” the report states. “Once inside, there was nothing to stop attackers from gaining direct and complete access to every single cash register in every Target store.” The report also found that while Target has a password policy, it wasn’t being followed. [KrebsonSecurity]


UK – M15 Director: “Snoopers’ Charter” Necessary

M15 Director-General Andrew Parker has said the UK intelligence agency’s ability to spy on communications data is no different than “the work spies have been doing for a hundred years.”  Parker said the so-called “snoopers’ charter” is crucial to protect citizens as the number of threats against the UK is as high as he’s seen in his 32-year career. “We need to be able to do what we have always done through our history,” he said. “To find and stop the people who threaten the UK, we need to be able to monitor the communications of terrorists and spies and others who threaten the country.” Meanwhile, a new legal challenge to surveillance programs was filed by Human Rights Watch. [Financial Times]

WW – How TV Shows Portray Mass Surveillance

Pop culture blogger Alyssa Rosenberg discusses how television programming portrays mass surveillance and predictive policing. “The rise of increasingly sophisticated surveillance technology has been a rich inspiration for popular culture in recent years,” she writes, noting “network television now has three shows on the subject.” She notes the bevy of surveillance-related shows on national television demonstrates “the mood of our times,” adding, “No matter what qualms these series might express about the civil liberties issues involved in mass surveillance or about the ethics of arresting or harming people before they’ve actually broken the law, they’ve already ceded ground on these issues in encouraging us to believe in a heightened risk of crime.” [The Washington Post]

US – Boston Subway to Track Riders With Beacons

The Massachusetts Bay Transportation Authority (MBTA), which operates the Boston public transportation system, announced it has started a yearlong pilot project that will track riders who download a special app via a Bluetooth beacon system run by a company called Intersection. In the news release, the MBTA said the project will track riders but will not collect personally identifying information and all data will be handled on a “secure, closed network.” The hope is to find ways to improve communication with transport users, map how riders use the various stations and explore “how brands can increase engagement and interaction with commuters based on proximity.” [BostInno]

US – Whose Job Is OPM Data Security?

In response to questions from Sen. Ron Wyden (D-OR), the National Counterintelligence and Security Center (NCSC) said infosecurity at the Office of Personnel Management is not NCSC’s job. According to the nation’s top counterintelligence agency, “Executive branch oversight of agency information security policies and practices rests with the Office of Management and Budget and the Department of Homeland Security.” Wyden was unimpressed, calling the response, “unworthy of individuals who are being trusted to defend America.” The back-and-forth lends credence to those lawmakers who believe legislation is needed to clarify cybersecurity roles in the federal government, the report states. [The HIll]

Telecom / TV

US – New Hampshire Library Restores Tor Node

A library in Lebanon, New Hampshire that suspended its operation of a Tor relay due to concerns raised by a Department of Homeland Security investigator has restored the node. The library’s IT director said that there was no pressure to take down the relay, but that they volunteered to take it down until the board met and voted on Tuesday, September 15. The Kilton Library is a pilot participant in the Library Freedom Project. The publicity generated by the story has prompted a dozen more libraries across the US to ask for information on hosting Tor nodes. [ArsTechnica] [The Register]

US – California County Announces Cell-Site Simulator Use Policy

The Sacramento County Sheriff’s Department says it will obtain “judicial authorization” before using cell-site simulator technology often referred to as a Stingray. The SCSD’s policy also automatically seals the applications for judicial authorization and calls for collected data to be purged after each use of the technology. Earlier this month, the US Department of Justice (DoJ) unveiled its policy regarding the technology, which requires law enforcement officials within its agencies to obtain a warrant prior to its use. The DoJ’s policy does not affect other federal, state, or local law enforcement agencies. [Ars Technica] [SACSheriff]

US Legislation

US – House Committee Approves Judicial Redress Act

Inching a step closer toward a major law enforcement agreement with the European Union, the U.S. House Judiciary Committee approved a bill that would give European citizens a right to sue in U.S. courts if their personal data is misused. A major component of the EU-U.S. Umbrella Agreement, the Judicial Redress Act, is a necessary law for assuaging European concerns about the use of their data by U.S. companies. Committee Chairman Bob Goodlatte (R-VA) said, “The Judicial Redress Act can go a long way toward restoring our allies’ faith in U.S. data privacy protections and helping facilitate agreements.” In a separate column for The Hill, Rep. Jim Sensenbrenner (R-WI), an author of the bill, wrote that the legislation “is essential to U.S. law enforcement.” [The Hill]

US – Tech Firms Support Judicial Redress Act

U.S. technology companies “are lining up” to support the Judicial Redress Act. The House bill “would allow non-U.S. citizens to seek records U.S. agencies have collected and pursue legal action when such records are disclosed,” the report states, noting it would apply to citizens of “select allied nations, primarily in the European Union.” Support by technology companies shows “the sector’s latest effort to rebuild trust abroad in the wake of Edward Snowden’s disclosures, which revealed many companies were turning over customers’ communications to the U.S. government,” the report states. A group of tech firms wrote that the loss of trust “translated into significant negative commercial consequences for U.S. firms, with global consumers choosing technology solutions from other providers.” [Tech Crunch]

US – Software Alliance Backs CISA, Other Reforms

An industry group that represents a number of high-profile technology companies has sent a letter to Congressional leaders expressing its support for the Cybersecurity Information Sharing Act (CISA). The Software Alliance, which represents a number of companies including Adobe, Apple, IBM, Microsoft and Symantec, stated that CISA “will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat.” In addition to CISA, the group urges Congress to pass ECPA reform, the LEADs Act, the Judicial Redress Act and modernize the Mutual Legal Assistance Treaty. [The Daily Dot]

The California legislature has passed a DNA collection bill that would allow DNA to be collected from all felon arrestees, but only allow it to be “uploaded to the state’s database after a judicial finding of probable cause,” reports California Newswire. It now awaits Gov. Brown’s signature.

Florida will see 27 new laws going into effect on October 1, including that deals with police using devices to track suspects.

Oregon Gov. Kate Brown signed the state’s new invasion of privacy law.

A bill introduced in Oregon’s legislature aims to protecting the privacy of students when in a legal dispute with a college.

The University of Wyoming students are working to pass a law that would change how student emails are labeled under the Public Records Act.

Delaware’s recently enacted “package of statutes governing the collection, storage and use of the personal information of Delaware residents by websites, Internet and cloud service providers and Internet and mobile applications.”

Maine has a new employee social media privacy law, which goes into effect on October 15.

In Wyoming, proposed legislation “would bar school district employees from requiring students to provide them access to social media accounts, smartphones or other personal digital information.”

Workplace Privacy

WW – Study: Employee Privacy Concerns Slow Device Rollout

A Bitglass study indicates that employees’ privacy concerns are slowing down companies’ efforts to roll out bring-your-own-device (BYOD) initiatives. “From an employee standpoint, the biggest challenges are privacy concerns over what does the IT department have visibility into and what do they have control over on my device … Am I giving up my privacy in exchange for having access to corporate email and apps on my device?” said Bitglass VP of Products and Marketing Rich Campagna. “As a result, BYOD adoption has been a lot lower than a lot of people expected over the last few years.” [ FierceMobileIT]